InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

[BUG] [XSS] False XSS positives for Wikimedia secure site

https://forums.informaction.com/viewtopic.php?t=4892

Page 1 of 1

[BUG] [XSS] False XSS positives for Wikimedia secure site

Posted: Tue Aug 17, 2010 6:02 pm
by schnee
Hi folks,

I just got the following false XSS positives that I'd like to report as a bug:

Code: Select all

[NoScript XSS] Sanitized suspicious request. Original URL [https://secure.wikimedia.org/wikipedia/en/wiki/Symphony_No._7_(Beethoven)] requested from [https://encrypted.google.com/search?hl=en&q=beethoven%27s+7th]. Sanitized URL: [https://secure.wikimedia.org/wikipedia/en/wiki/Symphony_No._7_%20Beethoven%20#6355658425021999302].
[NoScript XSS] Sanitized suspicious request. Original URL [https://secure.wikimedia.org/wikipedia/en/wiki/Symphony_No._7_(Beethoven)] requested from [chrome://browser/content/browser.xul]. Sanitized URL: [https://secure.wikimedia.org/wikipedia/en/wiki/Symphony_No._7_%20Beethoven%20#46670769589367445329].
This happens with Mozilla 3.6.8 and NoScript 2.0.1. Apologies if this is already known/fixed in a development version/the wrong way to file a bug report. ;)

Re: [BUG] [XSS] False XSS positives for Wikimedia secure sit

Posted: Tue Aug 17, 2010 10:04 pm
by schnee
anonymous_user wrote:Well, "Symphony_No._7_(Beethoven)" is a syntactically correct JavaScript expression that would call the _7_ method on a Symphony_No object. But NoScript already ships with an XSS filter exception to fix this exact thing (false positives from Google search Wikipedia articles) -- did you delete that exception by any chance?
No, I didn't delete anything. I just checked, though, and the Wikipedia exception at least only applies to wikipedia.org, not wikimedia.org (which is where the secure site is located). I'm not sure about the rest, though: the Google exception (^https?://([a-z]+)\.google\.(?:[a-z]{1,3}\.)?[a-z]+/(?:search|custom|\1)\?) is there.

EDIT:
edit: Actually, disregard that, the XSS filter exception NoScript currently ships with only applies to the non-secure version of Wikipedia... this rule should match the secure version
Thanks for that! It might be worth adding this to the default exceptions in the next NoScript release, too.

Cheers!

Re: [BUG] [XSS] False XSS positives for Wikimedia secure sit

Posted: Tue Aug 17, 2010 11:10 pm
by Giorgio Maone
It will be in next dev build, thanks.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited