Page 1 of 1
XSS on Amazon
Posted: Sat Oct 10, 2009 4:29 pm
by TrueWill
With the latest version of NoScript I've started to get potential XSS filtering on Amazon.com. For example, going to this link will give it:
http://www.amazon.com/Framework-Design- ... 0321545613
As an aside, the captcha for signing up for the forum is extremely frustrating. It took me 5 or 6 tries to get it right.
Thank you!
Re: XSS on Amazon
Posted: Sat Oct 10, 2009 4:53 pm
by Giorgio Maone
Going to that link doesn't give me any warning.
Could you check if your problem persists with
latest development build 1.9.0.9?
If it does, could you show me the [NoScript XSS] line(s) you get in
Tools|Error Console?
Thanks.
Re: XSS on Amazon
Posted: Sat Oct 10, 2009 6:56 pm
by TrueWill
Giorgio Maone wrote:Going to that link doesn't give me any warning.
Could you check if your problem persists with
latest development build 1.9.0.9?
If it does, could you show me the [NoScript XSS] line(s) you get in
Tools|Error Console?
Thanks.
Thanks - I installed the latest development build, and still got it. Here's the error console line:
Code: Select all
[NoScript XSS] Sanitized suspicious request. Original URL [http://view.atdmt.com/MRT/iview/177129049/direct/01/3800484?click=http://ad.doubleclick.net/click%3Bh=v8/38c2/3/0/%2a/s%3B218441852%3B0-0%3B1%3B18274663%3B4307-300/250%3B33666080/33683958/1%3Bu%3De766594f80e84f9e97fbe86bca960bf1%3B%7Eaopt%3D3/1/11/2%3B%7Esscs%3D%3f] requested from [http://www.amazon.com/aan/2009-09-09/static/amazon.us/iframeproxy.html#dclick=amzn.us.dp.books/computer_internet;sz%3D300x250;u%3De766594f80e84f9e97fbe86bca960bf1;ord%3D0YH2WE470403R523CDMD;s%3D108;s%3D97;s%3D250;s%3D249;s%3D99;s%3D102;s%3D364;s%3D227;s%3D363;s%3D231;s%3D125;s%3D232;s%3D126;s%3D118;s%3D120;s%3D3;s%3D276;s%3D7;s%3D277;s%3D143;s%3D280;s%3D142;s%3D5;s%3D279;s%3D11;s%3D12;s%3D130;s%3D9;s%3D286;s%3D16;s%3D14;s%3D156;s%3D153;s%3D24;s%3D23;s%3D22;s%3D21;s%3D147;s%3D148;s%3D27;s%3D267;s%3D25;s%3D32;s%3D270;s%3D150;s%3D29;s%3D37;s%3D173;s%3D38;s%3D33;s%3D172;s%3D165;s%3D46;s%3D48;s%3D295;s%3D54;s%3D53;s%3D56;s%3D294;s%3D55;s%3D49;s%3D52;s%3D188;s%3D51;s%3D303;s%3D62;s%3D57;s%3D59;s%3D67;s%3D80;s%3D195;s%3D224;s%3D221;s%3D220;s%3D217;s%3D218;s%3D93;s%3D92;s%3D91;s%3D332;s%3Dm1;z%3D153;z%3D180;z%3D141;tile%3D1%3F]. Sanitized URL: [http://view.atdmt.com/MRT/iview/177129049/direct/01/3800484?click=http://ad.doubleclick.net/click%3Bh=v8%2F38c2%2F3%2F0%2F*%2Fs%3B218441852%3B0-0%3B1%3B18274663%3B4307-300%2F250%3B33666080%2F33683958%2F1%3Bu%20e766594f80e84f9e97fbe86bca960bf1%3B~aopt%203%2F1%2F11%2F2%3B~sscs%20%3F#6883692636994576505].
Re: XSS on Amazon
Posted: Sat Oct 10, 2009 8:12 pm
by Giorgio Maone
hm, is there any reason why you are trusting atdmt.com?
Re: XSS on Amazon
Posted: Sun Oct 11, 2009 12:18 am
by TrueWill
Giorgio Maone wrote:hm, is there any reason why you are trusting atdmt.com?
None. They're Yet Another Online Marketing Company.
Amazon.com is in my Whitelist. So there are two issues here:
Personal - How can I trust Amazon, distrust the marketer, and avoid the distracting pop-up?
General - Others are probably getting these XSS pop-ups too, and you probably don't want to answer their questions individually.
Thank you!
Re: XSS on Amazon
Posted: Sun Oct 11, 2009 12:28 am
by Giorgio Maone
TrueWill wrote:Personal - How can I trust Amazon, distrust the marketer, and avoid the distracting pop-up?
Use "Forbid atdmt.com"
TrueWill wrote:General - Others are probably getting these XSS pop-ups too, and you probably don't want to answer their questions individually.
The false positive is already fixed in code that will be released with next version.
Re: XSS on Amazon
Posted: Sun Oct 11, 2009 1:04 am
by TrueWill
Thanks much!
