[FIXED] Ebay us uk au Paypal checkout xss warning

[Rom623]

Giorgio, Noscript team.

Thank you for your personal time and technical skills which in turn help secure the online life of a much thankful user base.

"Windows10, Firefox 114.1, "Noscript 11.4.22". All relevant Ebay and Paypal domains were set to trusted / whitelisted. No other plugins enabled or in use.

For some weeks now I have been experiencing / receiving XSS warnings on Ebay AU when attempting to hit the checkout button. The cursor just spins until a Noscript xss warning popup appears, indicating the possibility of a potential cross site scripting attack from "https://pay.ebay.com.au" to "https://paypal.com". As such, I'm unwilling to complete the checkout, adhering the warning.

It's evident from a little web searching that other Noscript users from across Ebay US, UK & AU domains are all experiencing the exact xss cross-site-script warning.

Here's a recent post from Ebay UK forum, dated this month with an image of the exact error.
https://community.ebay.co.uk/t5/Technic ... -p/7432023

Seems others have been experiencing the issue on the Ebay US site using Noscript 11.4.16.
https://www.dslreports.com/forum/r33612 ... -Feb-13-23

It's evident from these posts Ebay will not investigate the issue, noting the third party plugins is more likely the cause of the PayPal issue and thus the xss issue.

It would be greatly appreciated if anyone in your team could attempt to replicate this exact issue. In order to understand whether the warning is benign, thus can be ignored, or alternatively, is a valid xss cross-site issue that needs reporting.

Looking forward to your valued assistance and a way forward to help diagnose and rectify this issue for myself and many others.

Due to ongoing commitments I do not have unlimited online access, so I will logon again when I'm able....

Many thanks in advance for your valued time and assistance.

Best Regards.

[barbaz]

Sorry but we can't specifically set out attempting to replicate issues that require login & payment. However we maybe able to help if you or someone else affected provides more information about this XSS warning. As a start, could you please share copy-paste of the full "Suspicious data" in the XSS warning dialog?

[Rom623]

Apologies for omitting this from my original forum post. Typed out the "EXACT" NoScript XSS Suspicious Warning a few days back, left out portions of the token and metadata references.

Code: Select all

NoScript detected a potential Cross-site Scripting attack
from https://pay.ebay.com.au to https://www.paypal.com.
Suspicious data"
(URL) https://www.paypal.com/checkoutnow?token=4876xxxxxxxxFxxxx&local.x=en_AU&
client-metadata=-id=Mxxxxxxxxxx6xxw&native_xo=1&redirect_uri=https://pay.ebay.com.au/rxo?eBayParams=
{{{TCM1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}}}

This is the "IDENTICAL" Noscript XSS Suspicious Warning" uploaded and posted by another NoScript user on the Ebay UK forum last week. Image JPG is down the bottom of the post:

https://community.ebay.co.uk/t5/Technic ... t-id=80511

I do not have access to Ebay at this time, though if you need further clarification I can replicate the warning, snip the image and upload for your assessment. Though the warning is identical to that aforementioned above.

Appreciate your time.

[barbaz]

Thanks.

None of what you posted looks like XSS. If you still have the exact values you censored in your post, please try opening Web Console (Ctrl-Shift-K) on any benign page (e.g. the Firefox new tab page), and run this code substituting the real value

Code: Select all

atob(decodeURIComponent('TCM1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'));

I tried this with the visible portion of this parameter from the other user's screenshot, and got

Code: Select all

action=confirm&sessionid=xxxxxxxxxxxxx&paymentInstr

Which if it were complete would make this XSS warning a false positive, but having complete information is needed to be sure.

(sessionid value was a sequence of digits interspersed with the character p, doesn't look like XSS, so feel free to omit yours)

[Rom623]

Greetings barbaz,

Appreciate your valued assistance.

I'm external to home at the moment helping out friends.
Soon as I'm able over the next day, sooner if I can, I'll post my results for your technical interpretation.

Thank you again. Speak soon.

[ROM623]

Greetings barbaz,
As quick courtesy to let you know I have been personally delayed in travel by a few days. Life is indeed dynamic.....
Will post my findings as soon as a I'm able.

Thank you again for your understanding and time.

[barbaz]

Greetings barbaz,
As quick courtesy to let you know I have been personally delayed in travel by a few days. Life is indeed dynamic.....
Will post my findings as soon as a I'm able.

Thank you again for your understanding and time.

No worries. We "green users" are all unpaid volunteers doing support here in our spare time, we understand life getting in the way of doing stuff here, it has happened to us too. See you when you're able to continue

[Dee3]

Hello, I'm the eBay member the original poster quoted from the eBayUK community forum, I happened across this thread while googling for any info I could find on the problem. If you look at my thread over there again, you can see there hasn't been any interest from eBay community staff, just a couple of regular users who don't understand the issue.

Is there any info I can give you to help you look into this? Am hoping it's a false positive, as there are things I really need to buy on eBay but don't dare at the moment!

Thank you for a great browser extension I've been using for years with no problems until this eBay situation, which started on the May 1 2023 bank holiday weekend and has persisted ever since.

ETA: I tried the code you suggested to the above poster and am trying to post the results but I keep getting "Ooops, something in your posting triggered my antispam filter...
Please use the "Back" button to modify your content and retry."

ETA2: Can't get past the spam filter. Trying a screenshot instead:

[barbaz]

Thanks Dee3 for the info. If the x'd out "paymentInstrumentId" value is indeed all numbers, this XSS warning is a false positive.

Normally we would recommend using "Allow this request" while waiting for Giorgio to get to this, but in this specific case I think it is safe to "Always allow document requests".

[Dee3]

Thank you for the quick reply! The paymentinstrumentid is NOT all numbers, it's a mixture of numbers and letters (and not hexadecimal numbers, it contains letters P and R), so that may be worrying?

[barbaz]

Unfortunately that is not enough information to be sure.

While trying to figure out a way we can further investigate this without sending me/us the exact value (which searching suggests is likely a unique identifier of your account you're paying with), I found that NoScript logs more details about XSS warnings to
about:debugging > This Firefox > NoScript > Inspect > Console

so ran some tests, including

Code: Select all

http://127.0.0.1/?token=4876xxxxxxxxFxxxx&local.x=en_AU&client-metadata-id=Mxxxxxxxxxx6xxw&native_xo=1&redirect_uri=https://pay.ebay.com.au/rxo?eBayParams={{{TCM1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}}}

and got this

Code: Select all

[NoScript] [InjectionChecker]  Attributes injection:
{{{TCM1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}}}
matches (?:\W|^)(?:javascript:(?:[^]+[=\\\(`\[\.<]|[^]*(?:\bname\b|\\[ux]\d))|data:(?:(?:[a-z]\w+\/\w[\w+-]+\w)?[;,]|[^]*;[^]*\b(?:base64|charset=)|[^]*,[^]*<[^]*\w[^]*>))|@\W*i\W*m\W*p\W*o\W*r\W*t\W*(?:\/\*[^]*)?(?:["']|\W*u\W*r\W*l[^]*\()|\W*-\W*m\W*o\W*z\W*-\W*b\W*i\W*n\W*d\W*i\W*n\W*g[^]*:[^]*\W*u\W*r\W*l[^]*\(|\{\{[^]+\}\}
[NoScript] [InjectionChecker]  JavaScript Injection in ///?token=4876xxxxxxxxFxxxx&local.x=en_AU&client-metadata-id=Mxxxxxxxxxx6xxw&native_xo=1&redirect_uri=https://pay.ebay.com.au/rxo?eBayParams={{{TCM1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}}}

Seems NoScript doesn't like the {{{ }}} -

Code: Select all

http://127.0.0.1/?test={{{foo}}}

Code: Select all

[NoScript] [InjectionChecker]  Attributes injection:
{{{foo}}}
matches (?:\W|^)(?:javascript:(?:[^]+[=\\\(`\[\.<]|[^]*(?:\bname\b|\\[ux]\d))|data:(?:(?:[a-z]\w+\/\w[\w+-]+\w)?[;,]|[^]*;[^]*\b(?:base64|charset=)|[^]*,[^]*<[^]*\w[^]*>))|@\W*i\W*m\W*p\W*o\W*r\W*t\W*(?:\/\*[^]*)?(?:["']|\W*u\W*r\W*l[^]*\()|\W*-\W*m\W*o\W*z\W*-\W*b\W*i\W*n\W*d\W*i\W*n\W*g[^]*:[^]*\W*u\W*r\W*l[^]*\(|\{\{[^]+\}\}
[NoScript] [InjectionChecker]  JavaScript Injection in ///?test={{{foo}}}

If this is all you're hitting, it's definitely a false positive, {{{whatever}}} is not XSS unless the "whatever" in the middle is valid Javascript, which in this case it's not.

[Dee3]

Thanks for running those tests! Am unfortunately not Javascript-savvy: what do the three brackets around the data, which NoScript doesn't like, do? Can NoScript be modified to parse them, if they're causing a false positive (if that's what it is)?

[barbaz]

what do the three brackets around the data, which NoScript doesn't like, do?

No idea. Answering that would require knowledge of eBay internals, possibly on their server side.

[Dee3]

Being curious about the triple brackets thing, I did some googling and found that they are used in Javascript and in phtml for defining templates. {{ }} = 'Interpolate (escaped)', {{{ }}} = 'Interpolate (unescaped)'. I don't know what those two terms mean - do they make sense to you? Eg: https://codex.wordpress.org/Javascript_ ... p.template

Does this make sense of we're seeing in those eBay transactions? Would having NoScript ignore the brackets enable the transaction to go through safely without generating a cross-site attack warning?

[Dee3]

Hoping this is indeed a false positive, I took a chance on allowing my purchase through, which is just a small item but needed quickly and can't get anywhere else. When I got transferred to PayPal, I got the same NoScript XSS warning but in reverse, saying there was suspicious data being sent from PayPal to eBay. It, too, has the triple curly brackets around the data. The transaction went through normally aside from that, and I got emails from eBay and PayPal to confirm the purchase.

Now just hoping neither of those accounts get hijacked... But from what you've said, and seeing that nobody else on the eBay forum has (yet) posted a thread about getting hijacked after making a PayPal payment, am hoping it's a false positive. A definite confirmation that that is the case would be warmly welcomed.

Thanks again for looking into this.