InformAction Forums

Posted: **Sat Apr 17, 2010 7:03 pm**

I'm a developer working on a site now that uses a PayPal PayNow button. My machine is Ubuntu 9.10 with Firefox 3.5.9 and NoScript 1.9.9.63.

At first NoScript was flat out blocked the PayPal button with an XSS warning. I searched and found a post where it was recommended to change the POST to a GET. I did that and now have problems with NoScript corrupting the data being sent to PayPal. Here is what happens...

I'm using PayPal's encrypted website payments so the price, and purchase information cannot be seen or manipulated.
https://cms.paypal.com/us/cgi-bin/?cmd= ... 8A3I0P017Q

This is what the PayPal button/form looks like on my page:
NOTE: The actual encrypted text is dynamically generated based on the purchase information and will vary from one use to the next.

Code: Select all

<!-- buy now button -->
<form action="https://www.paypal.com/us/cgi-bin/webscr" method="get">
  <input type="hidden" name="cmd" value="_s-xclick" />
  <input type="hidden" name="encrypted" value="-----BEGIN PKCS7-----
MIIIAwYJKoZIhvcNAQcDoIIH9DCCB/ACAQAxggEwMIIBLAIBADCBlDCBjjELMAkG
A1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw
EgYDVQQKEwtQYXlQYWwgSW5jLjETMBEGA1UECxQKbGl2ZV9jZXJ0czERMA8GA1UE
AxQIbGl2ZV9hcGkxHDAaBgkqhkiG9w0BCQEWDXJlQHBheXBhbC5jb20CAQAwDQYJ
KoZIhvcNAQEBBQAEgYCp5O/sZi3Q8yAyWCCZcFCnP1BjWajKdtZyQjdajqZv1uDV
p0js6FrrGxsHnL2AXyvMSl9PBlfVlYt8YVPlKSrvpKjW8NrAoREht6vMH2gDBJLe
mOnFBaPmq/6cSi65cEYjCN4mYH36Zg4wSJAxI8z+Wzh1j2CX1SVbR8qsx6wM6DCC
BrUGCSqGSIb3DQEHATAUBggqhkiG9w0DBwQIONN6kF0t6w6AggaQTDCYC9iaW0oc
yaGMrEeU8yFzC0T3a2Wz5MVrm6OWJ/KPLZKKlp2NmG4NjbYiGx8w4UmO3gswoCZh
+rYExoQryogx4l9Y8wBN23P48qKw6exjJuuNLQNp0cXXry2C5Lsz51sbvMCqUakP
ogGV1pizqOMf3AXch1N14zfXxxNNougT7iBg18TAaIGCBoeRb3Qu+Cbcj9Ef2z1D
lcxzvRVn0De+p4/FOCbUNkEeK8cSl9z/CQ8ej+ZoXPoxGj99hBv7GQS/h88smQXv
IVRLTG3NnxpVEozjk73rRYKiuqzlU+9AC2bNhj2eRMc8odIM3AlPffmtMNViBTzO
aiN9GdaEpuTCZuqB+Lfdpq3k/duF7REx4uCdjp1yC/kR0mItNgrPi3T7Y0tRt4Ji
q6kxhyr58HoOVd6Rdw43UCoGKuzKmzrSzig9xIHrr4xXT4NYu+BKpr/vA7D5iDE0
SWr3InejbUsbzBcWorMHMO1i1+UlLy5vx/g7UrZEKfw+4DGzNbpSImhCohwKMG4N
pRTPhW2soHynqegJ8mhbhoH+Ls87w+eOND/yP0yAPGDXBuF67patIOIDVmDdS+NO
irW2rlfpQIIC5P4AfwnuZvPGF6JjSpKHONq2H+C2zDFmlAcFFQu7r3wNjbMg4kyE
Xrufwl7BBaF6XnyYQa4ruZGUUJarYWmBYctBK54T/u8QZoAX+ZSB7tVytivbrdrA
2Fgct0tLsKzzTXtQWVGxy8vE9jGddB88FTOxPEk7b8T38uV6Ipyx6FcGL5+PpZt/
CCi70wBV5CN57JslitZAaInNqHEOHgzg1/HMkafYH2Z2Ub0Qw0q5Zr/6kKGDx69v
iOAcqAeClmSbMa71AuyHeBbRtKgKUIRPwGEXJEurR+9y9U1NWhx+3Cef2B/vcoVt
CqFtmq9rQcphdkm06v39y1azKsF+hkU0noc4QN10yoafE2i8an7mae0NYwvaMdnX
77ZHxHAZqKj1nwpVGvz/O3giRMc8fpPv866jrDABHepyJWGLPufU9A/A997ZNixi
7aCj/9cpCE6VQaTmwpnPtEBvVsiB96AyB1h/xKrwtVXDEOqMn1H5sIkbK9AV55tm
7q7XGbCdb3V9psLC/S+0MF6imqKXS2LWyQI8EBmQjwAYkrqCqvIhn1g8O64lQ0VR
fI03rx6h3aa1ZmcOZYU4/XFmjdtQeG6q6Dg80Rz7eEuc4oXCTfDscth5/XtC2azi
lrOhWrfu5qoLZ4MGxEFqxxQhOdYgigimBZxB3dg1BKURsi/lflvidcXFqHDzqeFZ
BiiQfiiCtdAgvCVQmyl9aUx2NiKcaSaSqqQUogmoqJ3DTo5aYp7VgFA3gSDq01V/
XcSESlktjubrDh/OCQIjnMn4zP+6GmzP8YeA3spohlXXdOTXLlAHjYcbKfMRNCMr
Jx9tSE2fuV64FC2lfpLcUBPB59HuCipweOqQjFtoA+x55xYNJe1Pq1ZDe/zwNw6C
L5o9aBAkHH/ceGe2eTediAyK/8O+WGV9GygqKYoQjK7GbXh7POATAK7uuNDiTBTH
9F64vuyYyHH+sMYHcCnu5VhRPEpwDuMAdOR011OlW+1jHTpcDCUQHtNhZlPDXrAh
XqdvsP4axztopORmQZFG9z32rW3TBV2J9jIWJ5Frj8nI+sKpyjHravm7y1UL6krU
mDqLuf8YI3uUmJKLya6L1wEz/sHo0ighHZ9CcOQyf6PiBnscfSgD833tXyfxvDs1
ijIIph9LyEscTqMl57ItfgJ5/c9BkL0O+70fXe7QGZ0mjA8EH4Wty+M0+7pzruaB
dhtvyOZzKIRC/clsTbu73xD0PK8riwZAmi01sYvkvEoKLm5sWRff5O1mTqcu8u+h
89JXHRzhGF0tudXcGbyj1b6bHWVDrlFQ4q6YfUR0345weYFLPB1uY5ca/ZSKgXwc
IuNQ3lVVskbLJKvZvlai60RpFfALhOlx87oj1iUeLUBonCirKlBSG10n3cXcn9FL
FTMB8ih6DOqolc0zF9xZBHUgtn3tpi1bAzT1YiOxzyQ/+Zer9Yu9rkWiZ9diDyAS
3UHJ3b6z735rT/mohdO3ac2Yk2tzXiwv06Yk4/b42ZyukNcif0TYAlmqqB2etrC5
McpEsIk0n0a4NQwdi/zccVkctGPsoir20xsLwE9o0dK5Mv4IwQCftZDefnLmbTNg
cwF6XFP6S+WpWEVMc4ekLe9x6jApmVcXultVD97TQYKE10TSi1UU
-----END PKCS7-----
" />
  <input type="image" src="/images/btn_paynowCC_LG.gif" class="paypal_paynow" name="submit" alt="Pay with PayPal" title="Pay through PayPal" />
</form>

Notice I changed the form method to GET instead of the original POST.

When the link is clicked, it should go to PayPal and get decrypted so the integrity of the data is preserved. However, what happens is that the browser slows waaaay down (like 10 seconds and is unresponsive) before it starts to register the click and pull up PayPal.

When the browser pulls up PayPal, it is an error page with the message:

Error Detected
We were unable to decrypt the certificate id.

In the Console, this message appears:

[NoScript XSS] Sanitized suspicious request. Original URL [https://www.paypal.com/us/cgi-bin/websc ... ubmit.y=14] requested from [http://localhost:9040/checkout]. Sanitized URL: [https://www.paypal.com/us/cgi-bin/websc ... 0657495332].

What's happening, is that NoScript is modifying the encrypted portion and corrupting the data. When I pulled the message apart in a text editor to look at the parts, I found that the content was dramatically altered. Regardless, any alteration corrupts the data.

This seems to happen most of the time with my tests. On a few occasions it worked as expected. I presume that the variable encrypted text will sometimes match NS patterns and not in others.

Please look into this and correct the problem as this will likely affect all encrypted PayPal buttons and cause problems for small businesses.

Thanks,
-Mark E.

BTW> I really like the NS plugin and recommend it to people.

Posted: **Sat Apr 17, 2010 7:46 pm**

It is actually a bug, since NoScript has already a specific work-around in place for these button.
It will be fixed in next release.
In the meanwhile, just change the "/us/" part of your action URL with "/ca/":

Code: Select all

https://www.paypal.com/ca/cgi-bin/webscr

It will work and won't change anything in your button behavior.

Posted: **Sat Apr 17, 2010 8:05 pm**

Giorgio Maone wrote:It is actually a bug, since NoScript has already a specific work-around in place for these button.
It will be fixed in next release.
In the meanwhile, just change the "/us/" part of your action URL with "/ca/":
Code: Select all
https://www.paypal.com/ca/cgi-bin/webscr
It will work and won't change anything in your button behavior.

Thanks! The work-around URL change works perfectly. I'm glad to hear this will be fixed in the next release. Thanks for the prompt response.

-Mark E.

Posted: **Sun Apr 18, 2010 3:41 pm**

Fixed in 1.9.9.64

Posted: **Sun Apr 18, 2010 5:30 pm**

So you basically improved the hard-coded workaround.

1.9.9.63 wrote:/^https:\/\/www\.paypal\.com\/(?:ca\/)?cgi-bin\/webscr\b/

1.9.9.64 wrote:/^https:\/\/www\.paypal\.com\/(?:[\w\-]+\/)?cgi-bin\/webscr\b/

But are there any plans for moving such workarounds into the XSS settings? That is making fine-grained per-site XSS settings possible?

Posted: **Sun Apr 18, 2010 8:40 pm**

dhouwn wrote:So you basically improved the hard-coded workaround.

Mmm, not only. I also improved the speed of Base64 checks (which was the underlying problem: in facts, you'll see the button would work also without the hard-coded work-around, but you'd get a 1 second delay or so) and implemented a framework to skip checks for specific request parameters.

dhouwn wrote:But are there any plans for moving such workarounds into the XSS settings? That is making fine-grained per-site XSS settings possible?

What do you mean, exactly? You already have XSS exceptions. A generally available work-around for this issue would have been adding the above regular expression to the NoScript Options|Advanced|XSS exceptions box.

InformAction Forums

Bug: NS corrupts PayPal PayNow encrypted buttons

Bug: NS corrupts PayPal PayNow encrypted buttons

Re: Bug: NS corrupts PayPal PayNow encrypted buttons

Re: Bug: NS corrupts PayPal PayNow encrypted buttons

Re: Bug: NS corrupts PayPal PayNow encrypted buttons

Re: Bug: NS corrupts PayPal PayNow encrypted buttons

Re: Bug: NS corrupts PayPal PayNow encrypted buttons