[FIXED] Ebay us uk au Paypal checkout xss warning

[barbaz]

When I got transferred to PayPal, I got the same NoScript XSS warning but in reverse, saying there was suspicious data being sent from PayPal to eBay. It, too, has the triple curly brackets around the data.

Seeing that the original flagged parameter is called "redirectURI" and points to an eBay URL, I'm guessing this second warning was about the exact same parameter as was flagged in the other XSS warning?

am hoping it's a false positive. A definite confirmation that that is the case would be warmly welcomed.

If the messages about these XSS warnings in about:debugging > This Firefox > NoScript > Inspect > Console show that NoScript is just flagging the triple curly brackets, i.e. it's same as the above messages except for real URLs and uncensored parameters, it's definitely a false positive.

[Dee3]

Unfortunately I didn't save the text from that side of the transaction, just took a screenshot, so can't run it through the inspect console. From what I see of the alpha & numeric characters within the curly brackets (the text gets cut off on the right side), some of them are the same as in the original side of the transaction, about the first 20 or so characters, then there are various different characters mixed with the rest of the original ones.

Am no scripter so I don't know what to make of any of the code, but neither side of the transaction is redirecting to some weird URL, it's just PayPal.com or pay.eBay.co.uk, so that looks hopeful. So it may be OK.

[Rom623]

Greetings barbaz.

Sincere apologies for my prolonged personal absence....unavoidable!

Thank you to dee3 for assisting barbaz with troubleshooting the eBay / PayPal Xss cross-site issue that has plagued countless users for many months.

It appears you have both made great progress in identifying / resolving the problem. Good news the query string was benign, false positive and not actual valid Xss.

Please let us know if there is any further troubleshooting to undertake.

I did notice there is a update to NoScript 11.4.22 that includes a fix Base64 hash checks interfering with query string. Is this the fix to this issue?

Many thanks to you both for your time, dedication and skills.

Best Regards.

[Rom623]

Greetings,

For peace of mind and closure to this problem.

Are we comfortable that it's safe to move forward and ignore the eBay / PayPal Xss warning at checkout given the findings / testing undertaken?

The Base64 hash checks interfering with query string fix in NoScript 11.4.22. Was this the resolution for this issue?

Regards & Thanks.

[Dee3]

@ Rom623 Unfortunately the latest NoScript update didn't fix this particular issue, I just tested it by trying to buy something on eBay and still got the XSS warning pop-up. I did buy an item on eBay on 30 June because of urgent need and decided I'd have to take the chance: that went through OK and as of today, my bank account hasn't been drained...yet. But seriously, I hope it's a false positive. I'd just feel much more secure if the warnings weren't being triggered by some mysterious thing or other.

[Rom623]

Posting again, username was omitted accidentally.


@dee3, appreciate your timely reply.

Disappointed for all involved that the recent fix applied in 11.4.22 didn't improve the problem.

Seriously would like to have a definitive answer as to exactly whats causing NoScript to trigger and issue this Xss warning

Haven't seen any posts on eBay / Paypal of non NoScript users being affected by recent xss cross-site scripting.

Further, this issue seems to being felt across eBay AU, UK, US domains that I've seen post for. Could be more?
You wouldn't expect it to affect payment domains across multiple continents.

I'm in the same quandary, due to the lack of retail availability I really need to make eBay purchases ASAP for my family.

Can we further engage barbaz / Giorgio to give us a their general consensus on whether they feel it's indeed a false positive? We can then with some certainty ignore the warning and move forward until a fix is identified.

Not sure if the admins see these all the posts, due to the large number and availability of their time? We very much appreciate all they do.

Lets keep this post active until we hopefully get further technical clarification.

Thank you dee3 for you feedback and assistance.

Stay safe.

[barbaz]

Can we further engage barbaz

I've done all I can for this issue: evaluated the XSS warning to the best of my ability, concluded it seems a false positive and suggested selecting "Always allow document requests" in this specific case as a workaround. At this point only Giorgio can constructively engage further, either by fixing this false positive in a future NoScript version, or if that's not possible/realistic, explaining why not and giving his take on suggested workaround.

[Rom623]

Firstly! Thank you barbaz for all your time, technical expertise and valued assistance.

Moving forward, understanding your findings. We can safely then ignore the warning and allow document requests. It does appear from all your efforts to be a benign issue, false positive.

Given the number of faithful / grateful NoScript users globally, this issue must be affecting countless numbers of people. Though as we know people fail to report, seek assistance with such issues. Life commitments get in the way.

Honestly. How do we constructively engage Giorgio, to run his eyes over this issue, to seek his thoughts and possible direction? Is this something you can raise internally on everyone's behalf? Or alternatively, how do we engage Giorgio, understanding how busy he is. We would appreciate anything your able to assist us / direct us with.

Moving forward, it would be advantageous for everyone to have this issue definitively fixed in this awesome extension.

Appreciated in advance. Travel safe!

[barbaz]

Firstly! Thank you barbaz for all your time, technical expertise and valued assistance.

You're welcome.

How do we constructively engage Giorgio, to run his eyes over this issue, to seek his thoughts and possible direction?

Well, first is wait in case he just sees this. To maximize the chance, if this thread is no longer listed in search.php?search_id=active_topics and he hasn't responded yet, you can post in this thread again to bump it and bring it back on that list.

Is this something you can raise internally on everyone's behalf?

There isn't any special internal place to raise stuff like this, I can sometimes try to alert him privately to things that need his attention if enough time passes without his response, but recently he has been too busy even to get to several such things yet

[Rom623]

barbaz,

On behalf of user dee3 and myself, awesome effort assisting us......

Fingers crossed Giorgio is able to respond and resolve this issue in the very near future.

I'll keep this post on my daily radar......

Travel safe & speak soon.

[Dee3]

@barbaz Thank you so much for all your investigation into this, and to Rom623 for reporting it. I do hope Giorgio will get time to confirm that it's definitely a false positive, and hopefully make a fix to accommodate whatever's causing it. Thanks again.

[Rom623]

Giorgio,
Would appreciate your valued time to confirm this issue is definitely a false positive and possibly apply a permanent fix into a future NoScript release.

Thank you on behalf of all users being troubled by this xss warning on eBay /Paypal.

Kind Regards.

[Rom623]

Giorgio,
Any time you can spare to confirm this issue is indeed a false positive?
A permanent fix would be advantageous, if possible, to bring closure for all users faced with this xss warning.

Thank you in advance......

[Castle Freak]

Hey everyone!

I‘m getting the same warning by NoScript when Ebay redirects me to PayPal. It seems like all Ebay-Domains are affected by this issue (i‘ve tried to buy something using the german and austrian Ebay-Sites). This is really frustrating because i wanted to buy an item i couldn‘t find anywhere except on Ebay, as its a rare item. Unfortunately the seller has disabled Bank Transfer as an alternative payment option to Paypal. As for my knowledge concerning internet-Security-topics, i suspect the XSS-Warning to be a false positive. Still, it‘s better to be safe than sorry

[Castle Freak]

Sorry, something went wrong.

I can not enclose a screenshot