Page 1 of 1
[FIXED] XSS False Positive and Zynga.com
Posted: Tue Aug 31, 2010 9:34 pm
by BlueDrache
I keep having issues with NoScript firing off a false positive XSS attack when accessing PetVille gifts on Facebook.
I've attempted to allow NoScript to let this through, but I'm not sure if I'm doing something wrong.
Any assistance would be gratefully accepted. Thank you.
Re: XSS False Positive and Zynga.com
Posted: Wed Sep 01, 2010 5:30 am
by Phantom
I couldn't find a way to create a working link, however if you do the following steps I got it to work for my girlfriend.
1. Click the NoScript icon in the bottom right hand corner of your screen.
2. Click "Options"
3. Click "Advanced"
4. Click the "XSS" subtab
5. Uncheck the box next to "Turn cross-site POST requests into data-less GET requests"
6. Click "OK" at the bottom.
7. Try to send gifts/other things that didn't work before.
Re: XSS False Positive and Zynga.com
Posted: Wed Sep 01, 2010 12:23 pm
by dhouwn
What Phantom is suggesting would be deactivating the whole XSS-protection, which shouldn't be an option when you can whitelist things.
The problem you had is that you tried to add a whitelist entry using globbing (pattern-matching with "*" and "?") instead of regular expression.
It would be helpful if you posted the concerning error console output.
BTW, have you used the search function of this board before posting? I found for example
http://forums.informaction.com/viewtopi ... 568#p19568 which might help you.
Re: XSS False Positive and Zynga.com
Posted: Wed Sep 01, 2010 1:20 pm
by BlueDrache
I can't write regular expression to save my life and the example thread that was given looked specific to the poker website, which I do not play.
Re: XSS False Positive and Zynga.com
Posted: Wed Sep 01, 2010 2:59 pm
by BlueDrache
Forgive the double post, but without a login account I can not edit my previous post.
I've attempted to shut off XSS protection, which it appears I can't do, as well as insert additional "whitelist" in the XSS entry. No dice. It still nukes my ability to receive gifts.
This is quite frustrating and annoying, quite honestly. The white list is written in such an arcane and confusing manner as to make sensible additions to it near impossible without some sort of computer coding degree.
I'm not asking to learn this language, I'm asking for some help to get a section of my web back without having to disable NoScript when I surf facebook, or flat out uninstall. In all honesty, neither are palatable options.
attached is a pic of my options screen and my modifications
Re: XSS False Positive and Zynga.com
Posted: Wed Sep 01, 2010 10:42 pm
by dhouwn
dhouwn wrote:It would be helpful if you posted the concerning error console output.
Re: XSS False Positive and Zynga.com
Posted: Thu Sep 02, 2010 12:00 am
by BlueDrache
Is there a way to get a text dump of that or will I have to take a series of 10 screenshots to get the whole error console?
Re: XSS False Positive and Zynga.com
Posted: Thu Sep 02, 2010 12:32 am
by therube
The only one(s) that are likely to be pertinent are ones that say: NoScript in them.
Copy from Error Console & post in a [ code ] [ /code ] tag in this thread.
Re: XSS False Positive and Zynga.com
Posted: Thu Sep 02, 2010 2:33 pm
by Giorgio Maone
BTW, please check whether the problem persists in
latest development build.
Re: XSS False Positive and Zynga.com
Posted: Thu Sep 02, 2010 6:12 pm
by BlueDrache
Got it to fire off again.
Code: Select all
Error: Permission denied for <http://static.ak.facebook.com> (document.domain=<http://facebook.com>) to get property Window.Arbiter from <http://fb-client-0.petville.zynga.com> (document.domain=<http://zynga.com>).
Source File: http://static.ak.facebook.com/connect/canvas_proxy.php#method=setSize¶ms=%7B%22height%22%3A0%2C%22width%22%3A0%2C%22frame%22%3A%22iframe_canvas%22%7D
Line: 59
Code: Select all
Error: Permission denied for <http://static.ak.facebook.com> (document.domain=<http://facebook.com>) to get property Window.Arbiter from <http://fb-client-0.petville.zynga.com> (document.domain=<http://zynga.com>).
Source File: http://static.ak.facebook.com/connect/canvas_proxy.php#method=setSize¶ms=%7B%22height%22%3A0%2C%22width%22%3A0%2C%22frame%22%3A%22iframe_canvas%22%7D
Line: 59
Code: Select all
Error: Permission denied for <http://static.ak.facebook.com> (document.domain=<http://facebook.com>) to get property Window.Arbiter from <http://fb-client-0.petville.zynga.com> (document.domain=<http://zynga.com>).
Source File: http://static.ak.facebook.com/connect/canvas_proxy.php#method=setSize¶ms=%7B%22height%22%3A166%2C%22width%22%3A760%2C%22frame%22%3A%22iframe_canvas%22%7D
Line: 59
Code: Select all
[NoScript XSS] Sanitized suspicious upload to [http://www.facebook.com/plugins/serverfbml.php§DATA§%3Cfb%3Afbml%3E++%3Cstyle+type%3D%22text%2Fcss%22%3E+.main_giftConfirm_cont+%7B+background%3A+%23FFFFFF+url%28%27http%3A%2F%2Fassets.petville.zynga.com%2Fprod%2Fv9447%2Fimg%2Fgift%2Fgift_confirm_box_yellow.png%27%29+top+left+no-repeat%3B+width%3A+744px%3B+height%3A+300px%3B+%7D+.main_giftConfirm_cont+h3+%7B+color%3A%23559890%3B+font-size%3A+18px%3B+padding-top%3A+15px%3B+%7D+.gift_box_holder+%7B+padding%3A24px+150px%3B+%7D+.gift_box_cont+%7B++%09background%3A+url%28%27http%3A%2F%2Fassets.petville.zynga.com%2Fprod%2Fv9447%2Fimg%2Fgift%2Fgift_confirm_gift_yellow.png%27%29+top+left+no-repeat%3B++%09width%3A152px%3B+%09height%3A151px%3B+%09padding-top%3A20px%3B+%09float%3Aleft%3B+%7D+.gift_from+%7B+float%3A+left%3B+padding%3A+55px+0px+0px+62px%3B+%7D+.gift_box_cont+.giftConfirm_img+%7B+height%3A+115px%3B+%7D+.gift_box_cont+.giftConfirm_name+%7B+color%3A+%23559890%3B+font-weight%3A+bold%3B+%7D+.from_box_cont+%7B++%09background%3A+url%28%27http%3A%2F%2Fassets.petville.zynga.com%2Fprod%2Fv9447%2Fimg%2Fgift%2Fgift_confirm_user_yellow.png%27%29+top+left+no-repeat%3B++%09width%3A117px%3B+%09height%3A115px%3B+%09padding-left%3A1px%3B+%09padding-top%3A23px%3B+%09float%3Aright%3B+%09margin-top%3A15px%3B+%7D+.giftFrom_img+img+%7B+height%3A+50px%3B+%7D+.giftFrom_name+%7B+padding-top%3A+20px%3B+%7D+.giftFrom_name+a%3Alink%2C+.giftFrom_name+a%3Avisited+%7B+color%3A+%233b5998%3B+font-weight%3A+bold%3B+text-decoration%3A+underline%3B+%7D+.giftFrom_name+a%3Ahover%2C+.giftFrom_name+a%3Aactive+%7B+color%3A+%23559890%3B+text-decoration%3A+none%3B+%7D+.morePending_cont+div.text+%7B+font-size%3A+16px%3B+font-weight%3A+bold%3B+margin%3A+10px+0px%3B+%7D+.morePending_cont+div+span+%7B+color%3A+%23559890%3B+%7D+.morePending_bttn+.inputsubmit+%7B+font-size%3A+20px%3B+%7D+.morePending_bttn+span+%7B+margin-right%3A+20px%3B+%7D+.morePending_bttn+form+%7B+display%3A+inline%3B+%7D+.inputbutton%2C+.inputsubmit+%7B+%09background-color%3A%233B5998%3B+%09border-color%3A%23D9DFEA+%230E1F5B+%230E1F5B+%23D9DFEA%3B+%09border-style%3Asolid%3B+%09border-width%3A1px%3B+%09color%3A%23FFFFFF%3B+%09font-family%3A%22lucida+grande%22%2Ctahoma%2Cverdana%2Carial%2Csans-serif%3B+%09font-size%3A11px%3B+%09%2F*+padding%3A2px+15px+3px%3B+*%2F+%09text-align%3Acenter%3B+%7D+.giftLimit+%7B+padding-bottom%3A+8px%3B+font-size%3A+16px%3B+font-weight%3A+bold%3B+%7D+.gift_email+%7B+background%3A+%23FFFFFF+url%28%27http%3A%2F%2Fassets.petville.zynga.com%2Fprod%2Fv9447%2Fimg%2Fgift%2Fgift_confirm_box_small_yellow.png%27%29+top+left+no-repeat%3B+width%3A+744px%3B+height%3A+225px%3B+margin-top%3A+10px%3B%7D+.gift_email+h3+%7B+color%3A%23559890%3B+font-size%3A+18px%3B+padding-top%3A+15px%3B+%7D+.gift_emailtreats+%7B+background%3A+%23FFFFFF+url%28%27http%3A%2F%2Fassets.petville.zynga.com%2Fprod%2Fv9447%2Fimg%2Fgift%2Fgift_confirm_box_small_blue_v2.png%27%29+top+left+no-repeat%3B+width%3A+744px%3B+height%3A+225px%3B+margin-top%3A+10px%3B%7D+.gift_emailtreats+h3+%7B+color%3A%23559890%3B+font-size%3A+18px%3B+padding-top%3A+15px%3B+%7D+.gift_love+%7B+background%3A+%23FFFFFF+url%28%27http%3A%2F%2Fassets.petville.zynga.com%2Fprod%2Fv9447%2Fimg%2Fgift%2Fgift_confirm_box.png%27%29+top+left+no-repeat%3B+width%3A+744px%3B+height%3A+265px%3B+margin-top%3A+10px%3B%7D+.gift_love+h3+%7B+color%3A%23559890%3B+font-size%3A+18px%3B+padding-top%3A+15px%3B+%7D+.gift_love_holder+%7B+padding%3A45px%3B+%7D+.gift_lovetreats+%7B+background%3A+%23FFFFFF+url%28%27http%3A%2F%2Fassets.petville.zynga.com%2Fprod%2Fv9447%2Fimg%2Fgift%2Fgift_confirm_box_blue.png%27%29+top+left+no-repeat%3B+width%3A+744px%3B+height%3A+265px%3B+margin-top%3A+10px%3B%7D+.gift_lovetreats+h3+%7B+color%3A%23559890%3B+font-size%3A+18px%3B+padding-top%3A+15px%3B+%7D+.bookmark_left+%7B+float%3Aleft%3B+width%3A450px%3B+color%3A+%23559890%3B+font-weight%3A+bold%3B+font-size%3A+16px%3B+text-align%3Aleft%3B+%7D+.bookmark_right+%7B+float%3Aright%3B+%7D+.holiday_gift_box_holder+%7B+padding%3A+20px+5px+0+5px%3B+color%3A+%23559890%3B+%7D+++%09.gift_box_holder+%7B+padding%3A20px+25px%3B+%7D+%09.gift_box_cont+%7B+margin-left%3A+35px%3B+%7D+%09.from_box_cont+%7B+margin-left%3A+42px%3B+float%3A+left%3B%7D+%09.gift_from+%7B+padding-left%3A+42px%3B+%7D+%09.thank_you_gift+%7B+padding%3A+55px+0+0+22px%3B+%7D+%09.thank_you_text+%7B+margin-top%3A+10px%3B+color%3A+%23559890%3B+font-weight%3A+bold%3B+font-size%3A+18px%3B+%7D++%3C%2Fstyle%3E++%3Cdiv+class%3D%22padding_content+center%22%3E+%3Ccenter%3E+%09%09%09%3Cdiv+class%3D%22main_giftConfirm_cont%22%3E+%09%09%09%3Ch3%3EYou+just+accepted+this+Winkz+the+Pomhuahua%3C%2Fh3%3E+%09%09%09%09%09%09%09%3Cdiv+class%3D%22gift_box_holder%22%3E+%09%09%09%09%3Cdiv+class%3D%22gift_box_cont%22%3E+%09%09%09%09%09%3Cdiv+class%3D%22giftConfirm_img%22%3E+%09%09%09%09%09%09%09%09%09%09%09%3Cimg+src%3D%22http%3A%2F%2Fassets.petville.zynga.com%2Fprod%2Fv9447%2Fassets%2Fstuff%2Fanimal%2Fanimal_00063_pomhuahua_icon.png%22+style%3D%22margin%3A+10px%3B%22%3E+%09%09%09%09%09%09%09%09%09%09%3C%2Fdiv%3E+%09%09%09%09%09%3Cdiv+class%3D%22giftConfirm_name%22%3E%3Cspan%3EWinkz+the+Pomhuahua%3C%2Fspan%3E%3C%2Fdiv%3E+%09%09%09%09%3C%2Fdiv%3E+%09%09%09%09%3Cdiv+class%3D%22gift_from%22%3E%3Ch3%3EFrom%3C%2Fh3%3E%3C%2Fdiv%3E+%09%09%09%09%3Cdiv+class%3D%22from_box_cont%22%3E+%09%09%09%09%09%09%09%09%09%09%3Cdiv+class%3D%22giftFrom_img%22%3E%3Cimg+src%3D%22https%3A%2F%2Fgraph.facebook.com%2F1537624569%2Fpicture%3Ftype%3Dsquare%22%3E%3C%2Fdiv%3E+%09%09%09%09%09%3Cdiv+class%3D%22giftFrom_name%22%3E%3Cspan%3ECarol+Craft%3C%2Fspan%3E%3C%2Fdiv%3E+%09%09%09%09%3C%2Fdiv%3E+%09%09%09%09%09%09%09%09%09%3Cdiv+class%3D%22thank_you_gift%22%3E+%09%09%09%09%09%09%3Cfb%3Arequest-form+action%3D%22http%3A%2F%2Ffb-client-0.petville.zynga.com%2Fcurrent%2Fgifts_send.php%3Faction%3Dsentthankyougift%26amp%3Bpv_session%3D9e0db256fabfb6ca69e26aeee2cbee8f%26amp%3BreceiverGift%3D%26amp%3BgiftRecipient%3D1537624569%26amp%3Bts%3D1283450939%26amp%3Bgift%3D6325%26amp%3Bref%3Dtab%26amp%3Bkey%3Dcaa2d7c36adce392334fc9bf5c8b1408%24%24heG0TZQW4YKM2l0mNrM%28U%28Jz2HMQSI*2OoS2V6%2805guMbeOeK-6jFWhcx*5*WQbEp0YNEXsG1Q-MTJ*nwb_waU_7Qd4V_yieRSE%22+method%3D%22post%22+invite%3D%22false%22+type%3D%22PetVille+Gift%22+content%3D%22Thank+you+for+your+gift.+Here+is+a+Winkz+the+Pomhuahua+for+your+pet+in+PetVille+as+a+Thank+you+gift.+Could+you+help+me+by+sending+a+gift+back%3F++%26lt%3Bfb%3Areq-choice+url%3D%27http%3A%2F%2Fapps.facebook.com%2Fpetvillegame%2Fgiftaccept.php%3FsenderId%3D621465247%26amp%3Bgift%3D6325%26amp%3Btimestamp%3D1283450939%26amp%3Bref%3Dtab%26amp%3Bkey%3Dcaa2d7c36adce392334fc9bf5c8b1408%24%24heG0TZQW4YKM2l0mNrM%28U%28Jz2HMQSI*2OoS2V6%2805guMbeOeK-6jFWhcx*5*WQbEp0YNEXsG1Q-MTJ*nwb_waU_7Qd4V_yieRSE%26amp%3Bsignature%3D4d5692691d8a958f54c047858dc37872%27+label%3D%27Accept+Gift%27%26gt%3B%26lt%3B%2Ffb%3Arequest%26gt%3B%22%3E+%09%09%09%09%09%09%09+%09%09%09%09%09%09%09++++++++++++%09+%09%09%09%09%09%09%09++++++++++++%3Cfb%3Arequest-form-submit+label%3D%22Send+%25n+a+Thank+you+gift%22+uid%3D%221537624569%22%3E%3C%2Ffb%3Arequest-form-submit%3E%3C%2Ffb%3Arequest-form%3E+%09%09%09%09%09%3C%2Fdiv%3E+%09%09%09%09%09%3Cdiv+class%3D%22thank_you_text%22%3EFriends+send+gifts+they+want+back%21%3C%2Fdiv%3E+%09%09%09%09%09%09%09%3C%2Fdiv%3E+%09%09%09%09%09%3C%2Fdiv%3E+%09%09%09%09%3Cdiv+class%3D%22morePending_cont%22%3E+%09%09%09%3Cdiv+class%3D%22text%22%3EDo+you+have+more+pending+gifts+to+accept%3F%3C%2Fdiv%3E+%09%09%09%3Cdiv+class%3D%22morePending_bttn%22%3E+%09%09%09%09%3Cform+action%3D%22http%3A%2F%2Fapps.facebook.com%2Fpetvillegame%2Fgiftaccept.php%3FreqType%3Dyes%22+method%3D%22post%22+target%3D%22_top%22%3E+%09%09%09%09%09%3Cspan%3E+%09%09%09%09%09%09%3Cinput+class%3D%22inputsubmit%22+value%3D%22Yes%22+type%3D%22submit%22%3E+%09%09%09%09%09%3C%2Fspan%3E+%09%09%09%09%3C%2Fform%3E+%09%09%09%09%3Cform+action%3D%22http%3A%2F%2Fapps.facebook.com%2Fpetvillegame%2Fgiftaccept.php%3FreqType%3Dno%22+method%3D%22post%22+target%3D%22_top%22%3E+%09%09%09%09++++%09%09%09%09%09%3Cinput+class%3D%22inputsubmit%22+value%3D%22No%22+type%3D%22submit%22%3E+%09%09%09%09%3C%2Fform%3E+%09%09%09%3C%2Fdiv%3E+%09%09%09%3Cdiv+class%3D%22text%22%3E%3Cspan%3EPlease+remember+to+accept+each+gift+right+away.%3C%2Fspan%3E%3C%2Fdiv%3E+%09%09%3C%2Fdiv%3E+%09%3C%2Fcenter%3E+%3C%2Fdiv%3E+%3C%2Ffb%3Afbml%3E] from [http://fb-client-0.petville.zynga.com/current/giftaccept.php?overlayed=true&senderId=1537624569&gift=6325×tamp=1283445289&ref=tab&key=585cb450f2ae366f2e69504dc63275f2%24%24chI3TWSX37bZYhg8M-o-XQc!eHAoclFCzdtf)d3S34vP4gBa.pkPwcCC8r9UcR4H%2CtsxqvnltYp%2ChAnIWUnA)a(0TOx&signature=dd52b63e7027bf338c9ba2e890b471e0&pv_session=9e0db256fabfb6ca69e26aeee2cbee8f&overlayed=true&1283450814534#overlay]: transformed into a download-only GET request.
Re: XSS False Positive and Zynga.com
Posted: Thu Sep 02, 2010 11:29 pm
by Giorgio Maone
The only NoScript-specific message is the latter.
Could you check
latest development build (2.0.2.5rc1)?
Re: XSS False Positive and Zynga.com
Posted: Sat Sep 04, 2010 3:06 am
by BlueDrache
I was unable to test the release candidate, but I will let you know if the released version works without the false positive ... now all I need is someone to send me a gift on Petville. :/
Re: XSS False Positive and Zynga.com
Posted: Sat Sep 04, 2010 4:01 pm
by BlueDrache
This issue appears to be resolved for the time being.