false positives on wikipedia for cross-site scripting attacks

Ask for help about NoScript, no registration needed to post
zoop

false positives on wikipedia for cross-site scripting attacks

Post by zoop »

Hi,

When I try to visit a wikipedia page whose title contains points and parenthesis, NoScript incorrectly detects it as a cross-site scripting attack and asks me if I want to block the request, allow it, etc. This is quite annoying.

Example: https://en.wikipedia.org/wiki/R.S.V.P._(2002_film)

I hesitate to always allow requests relative to wikipedia, but I wonder if it may create potential security risks for me, and anyway it's still an annoying bug for other people who may stumble on this issue.

Firefox version: 110.0.1. NoScript version: 11.4.18.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
zoop2

Re: false positives on wikipedia for cross-site scripting attacks

Post by zoop2 »

To be clear, after several trials, this doesn't seem to happen systematically, but exactly once out of two times, which is super weird.

In particular, it seems to happen when I open a new tab in Firefox, type in or copy-paste a wikipedia URL whose title contains points and parenthesis, and then try to visit this URL. One out of two times everything works fine without security warning, but if I open a new tab and repeat the process, then I get the security warning about cross-site scripting.

I deactivated all other installed extensions, the problem persists; so it definitely seems to come from NoScript. Thanks,
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
zoop2

Re: false positives on wikipedia for cross-site scripting attacks

Post by zoop2 »

And of course, the example I previously gave now doesn't throw the warning and works fine everytime, so here's another example where the issue still appears: https://en.wikipedia.org/wiki/M.A.S.H._(1970)
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: false positives on wikipedia for cross-site scripting attacks

Post by barbaz »

Since Giorgio hasn't commented yet, just chiming in to say that I can reproduce this. Except in my case it's not 1 out of 2, it seems randomly intermittent.

That there is any intermittence at all makes no sense. Either a URL is an XSS attempt or it's not, no? The only thing I can think would vary whether the filter would trip for a given URL is NoScript permissions for the target site, but I wasn't changing permissions between when the warning trip and when it doesn't.

The STR that most consistently reproduces the XSS warning for me is:

1) fresh start of Firefox

2) open the Wikipedia link in the OP in a new tab by drag&drop

3) close the wikipedia tab

4) open the wikipedia link from the post immediately above this one in a new tab by drag&drop

These steps seem to apply both in my main profile & in a new, clean profile.

Firefox 111.0rc2, NoScript 11.4.18rc1 here.

EDIT To be clear, when I say "drag&drop", I'm running multiple simultaneous instances of Firefox & had this topic open in a separate Firefox instance, completely separate from the instance in which was attempting to reproduce the issue.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0
BardRT

Re: false positives on wikipedia for cross-site scripting attacks

Post by BardRT »

I just got this for https://en.wikipedia.org/wiki/USS_Willi ... kin=vector

I got it from clicking the wikipedia link after a google search.

Without knowing and assuming it was some garbage google was tagging on to their intermediate URL, I opened just the above URL in a new tab and got the same XSS warning.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: false positives on wikipedia for cross-site scripting attacks

Post by barbaz »

kwiniec, this thread is about NoScript Webext. You are using NoScript Classic, which does not have the same XSS filter as NoScript Webext. Split your post to viewtopic.php?t=26985 so the two issues can get independent attention.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
Post Reply