InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

XSS or false alarm?

https://forums.informaction.com/viewtopic.php?t=3962

Page 1 of 1

XSS or false alarm?

Posted: Sun Feb 28, 2010 2:37 pm
by BlackBox
Hi there,

Searching for some specific subject with Google brought me to a link with the format http:// "something".appspot.com/"twitter account"

Running FF 3.6 with NoScript 1.9.9.50 results in a XSS warning for Google / appspot.com, situation :

1. Search for potential XSS links http://www.google.com/#hl=enl&source=hp ... om%2F&fp=1

2. Choose a link on the result page, like http://7920074.appspot.com/googlemaps

3. Use the result page,try to login to Twitter (enter here a fake user name and password) > result a XSS warning

What is happening here? Is appspot.com hijacked and acting like Twitter or is this a bug in NoScript?

Regards,

BlackBox the Netherlands.

Re: XSS or false alarm?

Posted: Thu Mar 04, 2010 12:51 am
by Guest
Winner of the "2006 PC World World Class Award", this tool provides extra protection to your Firefox.
It allows JavaScript, Java and other executable content to run only from trusted domains of your choice, e.g. your home-banking web site, guarding your "trust boundaries" against cross-site scripting attacks (XSS) and Clickjacking attempts, thanks to its unique ClearClick technology.
Such a preemptive approach prevents exploitation of security vulnerabilities (known and even unknown!) with no loss of functionality...
Experts do agree: Firefox is really safer with NoScript ;-)
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited