[FIXED] XSS False Positive and Zynga.com

[BlueDrache]

I keep having issues with NoScript firing off a false positive XSS attack when accessing PetVille gifts on Facebook.



I've attempted to allow NoScript to let this through, but I'm not sure if I'm doing something wrong.

Any assistance would be gratefully accepted. Thank you.

[Phantom]

I couldn't find a way to create a working link, however if you do the following steps I got it to work for my girlfriend.

1. Click the NoScript icon in the bottom right hand corner of your screen.
2. Click "Options"
3. Click "Advanced"
4. Click the "XSS" subtab
5. Uncheck the box next to "Turn cross-site POST requests into data-less GET requests"
6. Click "OK" at the bottom.
7. Try to send gifts/other things that didn't work before.

[dhouwn]

What Phantom is suggesting would be deactivating the whole XSS-protection, which shouldn't be an option when you can whitelist things.
The problem you had is that you tried to add a whitelist entry using globbing (pattern-matching with "*" and "?") instead of regular expression.
It would be helpful if you posted the concerning error console output.

BTW, have you used the search function of this board before posting? I found for example http://forums.informaction.com/viewtopi ... 568#p19568 which might help you.

[BlueDrache]

I can't write regular expression to save my life and the example thread that was given looked specific to the poker website, which I do not play.

[BlueDrache]

Forgive the double post, but without a login account I can not edit my previous post.

I've attempted to shut off XSS protection, which it appears I can't do, as well as insert additional "whitelist" in the XSS entry. No dice. It still nukes my ability to receive gifts.

This is quite frustrating and annoying, quite honestly. The white list is written in such an arcane and confusing manner as to make sensible additions to it near impossible without some sort of computer coding degree.

I'm not asking to learn this language, I'm asking for some help to get a section of my web back without having to disable NoScript when I surf facebook, or flat out uninstall. In all honesty, neither are palatable options.

attached is a pic of my options screen and my modifications

[dhouwn]

It would be helpful if you posted the concerning error console output.

[BlueDrache]

Is there a way to get a text dump of that or will I have to take a series of 10 screenshots to get the whole error console?

[therube]

The only one(s) that are likely to be pertinent are ones that say: NoScript in them.

Copy from Error Console & post in a [ code ] [ /code ] tag in this thread.

[Giorgio Maone]

BTW, please check whether the problem persists in latest development build.

[BlueDrache]

Got it to fire off again.

Code: Select all

Error: Permission denied for <http://static.ak.facebook.com> (document.domain=<http://facebook.com>) to get property Window.Arbiter from <http://fb-client-0.petville.zynga.com> (document.domain=<http://zynga.com>).
Source File: http://static.ak.facebook.com/connect/canvas_proxy.php#method=setSize&params=%7B%22height%22%3A0%2C%22width%22%3A0%2C%22frame%22%3A%22iframe_canvas%22%7D
Line: 59

Code: Select all

Error: Permission denied for <http://static.ak.facebook.com> (document.domain=<http://facebook.com>) to get property Window.Arbiter from <http://fb-client-0.petville.zynga.com> (document.domain=<http://zynga.com>).
Source File: http://static.ak.facebook.com/connect/canvas_proxy.php#method=setSize&params=%7B%22height%22%3A0%2C%22width%22%3A0%2C%22frame%22%3A%22iframe_canvas%22%7D
Line: 59

Code: Select all

Error: Permission denied for <http://static.ak.facebook.com> (document.domain=<http://facebook.com>) to get property Window.Arbiter from <http://fb-client-0.petville.zynga.com> (document.domain=<http://zynga.com>).
Source File: http://static.ak.facebook.com/connect/canvas_proxy.php#method=setSize&params=%7B%22height%22%3A166%2C%22width%22%3A760%2C%22frame%22%3A%22iframe_canvas%22%7D
Line: 59

Code: Select all

[NoScript XSS] Sanitized suspicious upload to [http://www.facebook.com/plugins/serverfbml.php§DATA§%3Cfb%3Afbml%3E++%3Cstyle+type%3D%22text%2Fcss%22%3E+.main_giftConfirm_cont+%7B+background%3A+%23FFFFFF+url%28%27http%3A%2F%2Fassets.petville.zynga.com%2Fprod%2Fv9447%2Fimg%2Fgift%2Fgift_confirm_box_yellow.png%27%29+top+left+no-repeat%3B+width%3A+744px%3B+height%3A+300px%3B+%7D+.main_giftConfirm_cont+h3+%7B+color%3A%23559890%3B+font-size%3A+18px%3B+padding-top%3A+15px%3B+%7D+.gift_box_holder+%7B+padding%3A24px+150px%3B+%7D+.gift_box_cont+%7B++%09background%3A+url%28%27http%3A%2F%2Fassets.petville.zynga.com%2Fprod%2Fv9447%2Fimg%2Fgift%2Fgift_confirm_gift_yellow.png%27%29+top+left+no-repeat%3B++%09width%3A152px%3B+%09height%3A151px%3B+%09padding-top%3A20px%3B+%09float%3Aleft%3B+%7D+.gift_from+%7B+float%3A+left%3B+padding%3A+55px+0px+0px+62px%3B+%7D+.gift_box_cont+.giftConfirm_img+%7B+height%3A+115px%3B+%7D+.gift_box_cont+.giftConfirm_name+%7B+color%3A+%23559890%3B+font-weight%3A+bold%3B+%7D+.from_box_cont+%7B++%09background%3A+url%28%27http%3A%2F%2Fassets.petville.zynga.com%2Fprod%2Fv9447%2Fimg%2Fgift%2Fgift_confirm_user_yellow.png%27%29+top+left+no-repeat%3B++%09width%3A117px%3B+%09height%3A115px%3B+%09padding-left%3A1px%3B+%09padding-top%3A23px%3B+%09float%3Aright%3B+%09margin-top%3A15px%3B+%7D+.giftFrom_img+img+%7B+height%3A+50px%3B+%7D+.giftFrom_name+%7B+padding-top%3A+20px%3B+%7D+.giftFrom_name+a%3Alink%2C+.giftFrom_name+a%3Avisited+%7B+color%3A+%233b5998%3B+font-weight%3A+bold%3B+text-decoration%3A+underline%3B+%7D+.giftFrom_name+a%3Ahover%2C+.giftFrom_name+a%3Aactive+%7B+color%3A+%23559890%3B+text-decoration%3A+none%3B+%7D+.morePending_cont+div.text+%7B+font-size%3A+16px%3B+font-weight%3A+bold%3B+margin%3A+10px+0px%3B+%7D+.morePending_cont+div+span+%7B+color%3A+%23559890%3B+%7D+.morePending_bttn+.inputsubmit+%7B+font-size%3A+20px%3B+%7D+.morePending_bttn+span+%7B+margin-right%3A+20px%3B+%7D+.morePending_bttn+form+%7B+display%3A+inline%3B+%7D+.inputbutton%2C+.inputsubmit+%7B+%09background-color%3A%233B5998%3B+%09border-color%3A%23D9DFEA+%230E1F5B+%230E1F5B+%23D9DFEA%3B+%09border-style%3Asolid%3B+%09border-width%3A1px%3B+%09color%3A%23FFFFFF%3B+%09font-family%3A%22lucida+grande%22%2Ctahoma%2Cverdana%2Carial%2Csans-serif%3B+%09font-size%3A11px%3B+%09%2F*+padding%3A2px+15px+3px%3B+*%2F+%09text-align%3Acenter%3B+%7D+.giftLimit+%7B+padding-bottom%3A+8px%3B+font-size%3A+16px%3B+font-weight%3A+bold%3B+%7D+.gift_email+%7B+background%3A+%23FFFFFF+url%28%27http%3A%2F%2Fassets.petville.zynga.com%2Fprod%2Fv9447%2Fimg%2Fgift%2Fgift_confirm_box_small_yellow.png%27%29+top+left+no-repeat%3B+width%3A+744px%3B+height%3A+225px%3B+margin-top%3A+10px%3B%7D+.gift_email+h3+%7B+color%3A%23559890%3B+font-size%3A+18px%3B+padding-top%3A+15px%3B+%7D+.gift_emailtreats+%7B+background%3A+%23FFFFFF+url%28%27http%3A%2F%2Fassets.petville.zynga.com%2Fprod%2Fv9447%2Fimg%2Fgift%2Fgift_confirm_box_small_blue_v2.png%27%29+top+left+no-repeat%3B+width%3A+744px%3B+height%3A+225px%3B+margin-top%3A+10px%3B%7D+.gift_emailtreats+h3+%7B+color%3A%23559890%3B+font-size%3A+18px%3B+padding-top%3A+15px%3B+%7D+.gift_love+%7B+background%3A+%23FFFFFF+url%28%27http%3A%2F%2Fassets.petville.zynga.com%2Fprod%2Fv9447%2Fimg%2Fgift%2Fgift_confirm_box.png%27%29+top+left+no-repeat%3B+width%3A+744px%3B+height%3A+265px%3B+margin-top%3A+10px%3B%7D+.gift_love+h3+%7B+color%3A%23559890%3B+font-size%3A+18px%3B+padding-top%3A+15px%3B+%7D+.gift_love_holder+%7B+padding%3A45px%3B+%7D+.gift_lovetreats+%7B+background%3A+%23FFFFFF+url%28%27http%3A%2F%2Fassets.petville.zynga.com%2Fprod%2Fv9447%2Fimg%2Fgift%2Fgift_confirm_box_blue.png%27%29+top+left+no-repeat%3B+width%3A+744px%3B+height%3A+265px%3B+margin-top%3A+10px%3B%7D+.gift_lovetreats+h3+%7B+color%3A%23559890%3B+font-size%3A+18px%3B+padding-top%3A+15px%3B+%7D+.bookmark_left+%7B+float%3Aleft%3B+width%3A450px%3B+color%3A+%23559890%3B+font-weight%3A+bold%3B+font-size%3A+16px%3B+text-align%3Aleft%3B+%7D+.bookmark_right+%7B+float%3Aright%3B+%7D+.holiday_gift_box_holder+%7B+padding%3A+20px+5px+0+5px%3B+color%3A+%23559890%3B+%7D+++%09.gift_box_holder+%7B+padding%3A20px+25px%3B+%7D+%09.gift_box_cont+%7B+margin-left%3A+35px%3B+%7D+%09.from_box_cont+%7B+margin-left%3A+42px%3B+float%3A+left%3B%7D+%09.gift_from+%7B+padding-left%3A+42px%3B+%7D+%09.thank_you_gift+%7B+padding%3A+55px+0+0+22px%3B+%7D+%09.thank_you_text+%7B+margin-top%3A+10px%3B+color%3A+%23559890%3B+font-weight%3A+bold%3B+font-size%3A+18px%3B+%7D++%3C%2Fstyle%3E++%3Cdiv+class%3D%22padding_content+center%22%3E+%3Ccenter%3E+%09%09%09%3Cdiv+class%3D%22main_giftConfirm_cont%22%3E+%09%09%09%3Ch3%3EYou+just+accepted+this+Winkz+the+Pomhuahua%3C%2Fh3%3E+%09%09%09%09%09%09%09%3Cdiv+class%3D%22gift_box_holder%22%3E+%09%09%09%09%3Cdiv+class%3D%22gift_box_cont%22%3E+%09%09%09%09%09%3Cdiv+class%3D%22giftConfirm_img%22%3E+%09%09%09%09%09%09%09%09%09%09%09%3Cimg+src%3D%22http%3A%2F%2Fassets.petville.zynga.com%2Fprod%2Fv9447%2Fassets%2Fstuff%2Fanimal%2Fanimal_00063_pomhuahua_icon.png%22+style%3D%22margin%3A+10px%3B%22%3E+%09%09%09%09%09%09%09%09%09%09%3C%2Fdiv%3E+%09%09%09%09%09%3Cdiv+class%3D%22giftConfirm_name%22%3E%3Cspan%3EWinkz+the+Pomhuahua%3C%2Fspan%3E%3C%2Fdiv%3E+%09%09%09%09%3C%2Fdiv%3E+%09%09%09%09%3Cdiv+class%3D%22gift_from%22%3E%3Ch3%3EFrom%3C%2Fh3%3E%3C%2Fdiv%3E+%09%09%09%09%3Cdiv+class%3D%22from_box_cont%22%3E+%09%09%09%09%09%09%09%09%09%09%3Cdiv+class%3D%22giftFrom_img%22%3E%3Cimg+src%3D%22https%3A%2F%2Fgraph.facebook.com%2F1537624569%2Fpicture%3Ftype%3Dsquare%22%3E%3C%2Fdiv%3E+%09%09%09%09%09%3Cdiv+class%3D%22giftFrom_name%22%3E%3Cspan%3ECarol+Craft%3C%2Fspan%3E%3C%2Fdiv%3E+%09%09%09%09%3C%2Fdiv%3E+%09%09%09%09%09%09%09%09%09%3Cdiv+class%3D%22thank_you_gift%22%3E+%09%09%09%09%09%09%3Cfb%3Arequest-form+action%3D%22http%3A%2F%2Ffb-client-0.petville.zynga.com%2Fcurrent%2Fgifts_send.php%3Faction%3Dsentthankyougift%26amp%3Bpv_session%3D9e0db256fabfb6ca69e26aeee2cbee8f%26amp%3BreceiverGift%3D%26amp%3BgiftRecipient%3D1537624569%26amp%3Bts%3D1283450939%26amp%3Bgift%3D6325%26amp%3Bref%3Dtab%26amp%3Bkey%3Dcaa2d7c36adce392334fc9bf5c8b1408%24%24heG0TZQW4YKM2l0mNrM%28U%28Jz2HMQSI*2OoS2V6%2805guMbeOeK-6jFWhcx*5*WQbEp0YNEXsG1Q-MTJ*nwb_waU_7Qd4V_yieRSE%22+method%3D%22post%22+invite%3D%22false%22+type%3D%22PetVille+Gift%22+content%3D%22Thank+you+for+your+gift.+Here+is+a+Winkz+the+Pomhuahua+for+your+pet+in+PetVille+as+a+Thank+you+gift.+Could+you+help+me+by+sending+a+gift+back%3F++%26lt%3Bfb%3Areq-choice+url%3D%27http%3A%2F%2Fapps.facebook.com%2Fpetvillegame%2Fgiftaccept.php%3FsenderId%3D621465247%26amp%3Bgift%3D6325%26amp%3Btimestamp%3D1283450939%26amp%3Bref%3Dtab%26amp%3Bkey%3Dcaa2d7c36adce392334fc9bf5c8b1408%24%24heG0TZQW4YKM2l0mNrM%28U%28Jz2HMQSI*2OoS2V6%2805guMbeOeK-6jFWhcx*5*WQbEp0YNEXsG1Q-MTJ*nwb_waU_7Qd4V_yieRSE%26amp%3Bsignature%3D4d5692691d8a958f54c047858dc37872%27+label%3D%27Accept+Gift%27%26gt%3B%26lt%3B%2Ffb%3Arequest%26gt%3B%22%3E+%09%09%09%09%09%09%09+%09%09%09%09%09%09%09++++++++++++%09+%09%09%09%09%09%09%09++++++++++++%3Cfb%3Arequest-form-submit+label%3D%22Send+%25n+a+Thank+you+gift%22+uid%3D%221537624569%22%3E%3C%2Ffb%3Arequest-form-submit%3E%3C%2Ffb%3Arequest-form%3E+%09%09%09%09%09%3C%2Fdiv%3E+%09%09%09%09%09%3Cdiv+class%3D%22thank_you_text%22%3EFriends+send+gifts+they+want+back%21%3C%2Fdiv%3E+%09%09%09%09%09%09%09%3C%2Fdiv%3E+%09%09%09%09%09%3C%2Fdiv%3E+%09%09%09%09%3Cdiv+class%3D%22morePending_cont%22%3E+%09%09%09%3Cdiv+class%3D%22text%22%3EDo+you+have+more+pending+gifts+to+accept%3F%3C%2Fdiv%3E+%09%09%09%3Cdiv+class%3D%22morePending_bttn%22%3E+%09%09%09%09%3Cform+action%3D%22http%3A%2F%2Fapps.facebook.com%2Fpetvillegame%2Fgiftaccept.php%3FreqType%3Dyes%22+method%3D%22post%22+target%3D%22_top%22%3E+%09%09%09%09%09%3Cspan%3E+%09%09%09%09%09%09%3Cinput+class%3D%22inputsubmit%22+value%3D%22Yes%22+type%3D%22submit%22%3E+%09%09%09%09%09%3C%2Fspan%3E+%09%09%09%09%3C%2Fform%3E+%09%09%09%09%3Cform+action%3D%22http%3A%2F%2Fapps.facebook.com%2Fpetvillegame%2Fgiftaccept.php%3FreqType%3Dno%22+method%3D%22post%22+target%3D%22_top%22%3E+%09%09%09%09++++%09%09%09%09%09%3Cinput+class%3D%22inputsubmit%22+value%3D%22No%22+type%3D%22submit%22%3E+%09%09%09%09%3C%2Fform%3E+%09%09%09%3C%2Fdiv%3E+%09%09%09%3Cdiv+class%3D%22text%22%3E%3Cspan%3EPlease+remember+to+accept+each+gift+right+away.%3C%2Fspan%3E%3C%2Fdiv%3E+%09%09%3C%2Fdiv%3E+%09%3C%2Fcenter%3E+%3C%2Fdiv%3E+%3C%2Ffb%3Afbml%3E] from [http://fb-client-0.petville.zynga.com/current/giftaccept.php?overlayed=true&senderId=1537624569&gift=6325&timestamp=1283445289&ref=tab&key=585cb450f2ae366f2e69504dc63275f2%24%24chI3TWSX37bZYhg8M-o-XQc!eHAoclFCzdtf)d3S34vP4gBa.pkPwcCC8r9UcR4H%2CtsxqvnltYp%2ChAnIWUnA)a(0TOx&signature=dd52b63e7027bf338c9ba2e890b471e0&pv_session=9e0db256fabfb6ca69e26aeee2cbee8f&overlayed=true&1283450814534#overlay]: transformed into a download-only GET request.

[Giorgio Maone]

The only NoScript-specific message is the latter.

Could you check latest development build (2.0.2.5rc1)?

[BlueDrache]

I was unable to test the release candidate, but I will let you know if the released version works without the false positive ... now all I need is someone to send me a gift on Petville. :/

[BlueDrache]

This issue appears to be resolved for the time being.