Page 1 of 1
Cross Scripting Problem
Posted: Fri Nov 06, 2009 5:05 pm
by Gene45
I have been trying to get into Bell's website (Bell.ca). I can get in and log in to the point where it knows me and my details, but when I try to order anything I get a message at the top of the screen that"
"NoScript filtered a potential cross scripting site (XSS) attempt from [http\Bell.ca]. Technical details have been logged to the consol."
I have looked at the "Options" box but don't understand what it is telling me. Likewise for the consol.
When this happens I am stuck and can't get any response from the site and have no idea what to do about it.
Help?
Re: Cross Scripting Problem
Posted: Fri Nov 06, 2009 5:33 pm
by Alan Baxter
From
http://noscript.net/features#xss:
Then a yellow notification bar displays a message like
"NoScript filtered a potential cross-site scripting (XSS) attempt from [some-evil-url.com]. Technical details have been logged to the Console."
On the left side of this bar there's also an "Options..." button: if you click it, you can choose among the following actions:
* Show Console, displaying the Error Console where further technical details about the actions taken by NoScript are logged.
Please notice that the Error Console is a standard Firefox component reporting every JavaScript-related message from any source: the explanatory messages specifically coming from NoScript and related to XSS are only the ones marked with a [NoScript XSS] label.
Please post the console message starting with
[NoScript XSS].
Re: Cross Scripting Problem
Posted: Sat Nov 07, 2009 1:44 am
by Gene45
So I tried to go back to the bell site as before, I did not get the cross scripting message but it gets stuck just the same. perhaps it is bell's problem. Since I did not get the error warning, I did not get into the consol as suggested. Going to Tools >Error consol lets me look at a list like this:
Code: Select all
Warning: Expected ':' but found '='. Declaration dropped.
Source File: https://www.bell.ca/mybell/framework/sk ... ontent.css
Line: 107
Warning: Error in parsing value for 'vertical-align'. Declaration dropped.
Source File: https://www.bell.ca/web/css/content.css
Line: 1637
Warning: Unrecognized at-rule or error parsing at-rule '@import'.
Source File: https://www.bell.ca/web/css/print.css
Line: 29
Warning: Error in parsing value for 'width'. Declaration dropped.
Source File: https://www.bell.ca/web/css/print.css
Line: 40
Warning: Expected ':' but found '='. Declaration dropped.
Source File: https://www.bell.ca/mybell/framework/sk ... ontent.css
Line: 107
Warning: Error in parsing value for 'vertical-align'. Declaration dropped.
Source File: https://www.bell.ca/web/css/content.css
Line: 1637
Warning: Unrecognized at-rule or error parsing at-rule '@import'.
Source File: https://www.bell.ca/web/css/print.css
Line: 29
Warning: Error in parsing value for 'width'. Declaration dropped.
Source File: https://www.bell.ca/web/css/print.css
Line: 40
Warning: Error in parsing value for 'clear'. Declaration dropped.
Source File: viewtopic.php?f=7&t=1570215&p=7894235#p7894235
Line: 0
but with no XSS warning.
I must have done something to shut down the system, but I don't know what.
I guess I won't be able to shop at Bell.....
If it happens again, I know who to call......
Re: Cross Scripting Problem
Posted: Sun Nov 15, 2009 6:27 pm
by Guest
Hopefully you solve this because I can't do most things on Bell's website because of this. I tried disabling the XSS, and it still doesn't work properly. I can only get about one link deeper than I was with it enabled.
Re: Cross Scripting Problem
Posted: Sun Nov 15, 2009 11:31 pm
by GµårÐïåñ
None of the things you have listed are NoScript or XSS errors, they are all website related errors. If you are getting an XSS message, then there would be a record of it in the console, so its looking pretty likely that your problem is not XSS.
Re: Cross Scripting Problem
Posted: Mon Nov 16, 2009 5:14 pm
by SeanM
An XSS problem with a different site from bell.ca. This displayed at the Amtrak web site (apparently recently enhanced). At the point this message was displayed, all I had done was enter the departure station, destination and travel dates.
[NoScript XSS] Sanitized suspicious upload to [
http://tickets.amtrak.com/itd/amtrak§D ... 2FtripType] from [
http://www.amtrak.com/servlet/ContentSe ... k/HomePage]: transformed into a download-only GET request.
(I went ahead on my test PC to the train reservations.)
Re: Cross Scripting Problem
Posted: Mon Nov 16, 2009 8:09 pm
by Giorgio Maone
XSS exception:
Code: Select all
^http://tickets\.amtrak\.com/itd/amtrak$
Re: Cross Scripting Problem
Posted: Tue Nov 17, 2009 4:00 am
by SeanM
Giorgio Maone wrote:XSS exception:
Code: Select all
^http://tickets\.amtrak\.com/itd/amtrak$
Thanks! Worked like a charm.
I had been reading through the
XSS docs, perplexed as to why this exception was presented. I had "
amtrak.com" in the whitelist, and assumed (I know, the mother of all foul-ups
) that "
http://ticket.amtrak.com" would be trusted. I thought (for but a moment) to add "
http://ticket.amtrak.com" to the whitelist, and decided to hold the thought.
Were my assumptions incorrect, was the problem caused by the special characters or is the recently "new, improved" Amtrak web site have a few risks built into it?
I tried the same procedure (on a test PC) with
IE7,
Opera 9.64 and
Safari 3.22.
IE7 processed the request, then crashed a few minutes later.
Safari acted odd, then hung only the tab.
Opera seemed to handle the request, with no apparent problems until I tried to close Opera. (crashed).
Re: Cross Scripting Problem
Posted: Fri Nov 20, 2009 8:57 pm
by GµårÐïåñ
Yes, many of them can be coded into the same CSS for various compatibilities, you might need to reference a few outside things but generally in one place.
Re: Cross Scripting Problem
Posted: Sat Jan 16, 2010 4:08 pm
by Oliver L.
Giorgio Maone wrote:XSS exception:
Code: Select all
^http://tickets\.amtrak\.com/itd/amtrak$
Thanks this worked for me too.
Re: Cross Scripting Problem
Posted: Wed Apr 07, 2010 2:02 am
by roger
Thanks for this lead on cross scripting. New stuff for me..
As for bell.ca and its pretty bad issue with noscript, I finally got their https site to work by adding these lines under the Advanced / XSS tab in the Anti-XSS Protection Exceptions list.
^http://bell-ca\.baynote\.net/
^https://bell-ca\.baynote\.net/
^http://[a-z]*\.baynote\.net/
^http://[a-z]*\.liveperson\.net/
^https://[a-z]*\.bell\.ca/
^http://www\.ges\.bell\.ca/
Not sure which are required or how they could be simplified. Bell.ca being such a black box, that would call for a lot more testing. To me it looks like their css programmers really went to town on this one.
Roger
Re: Cross Scripting Problem
Posted: Wed Apr 07, 2010 6:29 am
by Giorgio Maone
roger wrote:
^http://bell-ca\.baynote\.net/
^https://bell-ca\.baynote\.net/
^http://[a-z]*\.baynote\.net/
^http://[a-z]*\.liveperson\.net/
^https://[a-z]*\.bell\.ca/
^http://www\.ges\.bell\.ca/
Not sure which are required or how they could be simplified.
Simplification:Code: Select all
^https?://[a-z\-]+\.baynote\.net/
^http://[a-z]*\.liveperson\.net/
^https?://(?:[^/]+\.)?bell\.ca/
Re: Cross Scripting Problem
Posted: Thu Apr 08, 2010 12:52 am
by roger
Thank you sir.
Those three lines in the Advanced / XSS / Anti-XSS Protection Exceptions
^https?://[a-z\-]+\.baynote\.net/
^http://[a-z]*\.liveperson\.net/
^https?://(?:[^/]+\.)?bell\.ca/
plus I forgot to mention that I had three more lines in the HTTPS / Cookies / Ignore unsafe cookies section.
bell.ca
liveperson.net
baynote.net
It all works well now.
Roger