InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Cross-site Scripting (XSS) Problem

https://forums.informaction.com/viewtopic.php?t=3532

Page 1 of 1

Cross-site Scripting (XSS) Problem

Posted: Wed Jan 06, 2010 5:48 pm
by virtualguy
Trying watch a NOVA video on PBS site (Public Television). None of the videos on this will play and I get NoScipt notifications. Even when I opt for the unsafe reload, the video still will not play. What's up with that?

http://video.pbs.org/video/1300397304/

Warning: Error in parsing value for 'filter'. Declaration dropped.
Source File: http://www-tc.pbs.org/video/media/css/i ... .css?13241
Line: 846

[NoScript XSS] Sanitized suspicious request. Original URL [http://static.liverail.com/js/companion ... cmlwdD4%3D] requested from [http://video.pbs.org/video/1300397304/]. Sanitized URL: [http://static.liverail.com/js/companion ... 2328682734].

[ABE] <LOCAL> Deny on {GET http://cdn.visiblemeasures.com/crossdomain.xml <<< http://video.pbs.org/video/1300397304/, http://video.pbs.org/video/1300397304/}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny

(New Build)
Win 7 (64-bit)
Intel Core i7, 6Gb RAM


Thanks!

Re: Cross-site Scripting (XSS) Problem

Posted: Wed Jan 06, 2010 6:25 pm
by Giorgio Maone
NoScript is correct about the XSS warning: in fact, the advertising page http://static.liverail.com/js/companion ... bGl2ZXJhaW, if base64-decoded, contains a <script> element which has no place in an URL.

You can just ignore the warning or even Forbid liverail.com (which will skip XSS checks): the movie will play just fine.

Regarding ABE, looks like cdn.visiblemeasures.com is in your intranet, therefore . Are you a developer conected to it?
Either way, you can work around by opening NoScript Options|Advanced|ABE and editing your SYSTEM ruleset inserting the following rule in the beginning of the file:

Code: Select all

Site *.visiblemeasures.com
Accept

Re: Cross-site Scripting (XSS) Problem

Posted: Thu Jan 07, 2010 4:13 pm
by virtualguy
Thank you for your response. I will employ the fix you have suggested for viewing the videos on the PBS site. However, the real problem is that I'm getting these warning notices at the top of the page at nearly every website I go to. They tend to take up a lot of screen real estate. It is exceedingly annoying to have to click these notices off every single time I open a new web page. For example, if I read 15 emails in Yahoo Mail, I have to click away the warnings on every single time I open a new email. I am a centimeter away from sending NoScript to the sh*t can.

VG

Re: Cross-site Scripting (XSS) Problem

Posted: Thu Jan 07, 2010 4:18 pm
by Giorgio Maone
  1. Which NoScript version are you using? Latest should be much more accurate regarding false positive on Yahoo ads.
  2. Could you show me the [NoScript XSS] lines shown in Tools|Error Console when this happens on Yahoo mail?
  3. Could you consider using an adblocker, like Adblock Plus?

Re: Cross-site Scripting (XSS) Problem

Posted: Fri Jan 08, 2010 12:17 am
by virtualguy
Resolved. NoScript apparently did not like the blocking IP in my HOSTS file. Changed the IP to 255.0.0.0 and saved the hosts file (running Notepad with admin status), and the ABE issue is gone. Thanks!
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited