Possible bug in XSS filter

PassingThrough · Post by **PassingThrough** » Wed Jan 05, 2011 3:57 am

It seems that the XSS filter replaces all brackets "(" and ")" with %20 instead of %28 and %29. Is this an intended/necessary switch?

Sample console output:

[NoScript XSS] Sanitized suspicious request.
Original URL [http://msdn.microsoft.com/query/dev10.q ... P)&rd=true] requested from [chrome://browser/content/browser.xul].
Sanitized URL: [http://msdn.microsoft.com/query/dev10.q ... 9468807261].

Post by **Giorgio Maone** » Wed Jan 05, 2011 9:30 am

No, not all the brackets.
Just those which occurs in URLs which contain syntactically valid JavaScript fragments and are requested cross-site (or 1st request).
Notice that a "syntactically valid" JavaScript fragment doesn't necessarily executes as JavaScript, but it does compile as such and it's the best you can check to say "this is JavaScript" without actually executing.
Your request, unfortunately, passes the test.

PassingThrough · Post by **PassingThrough** » Wed Jan 05, 2011 11:31 am

Just to get this straight. NoScript checks cross-site URLs for valid JavaScript fragments. It then disables URLs which meet the criteria by replacing all brackets in them with spaces. Is that accurate?

Post by **Giorgio Maone** » Wed Jan 05, 2011 11:56 am

PassingThrough wrote:Just to get this straight. NoScript checks cross-site URLs for valid JavaScript fragments.

And for "dangerous" HTML fragments as well.

PassingThrough wrote:It then disables URLs which meet the criteria by replacing all brackets in them with spaces.

It performs some replacements to neutralize the payload, including the one you described.

InformAction Forums

Possible bug in XSS filter

Possible bug in XSS filter

Re: Possible bug in XSS filter

Re: Possible bug in XSS filter

Re: Possible bug in XSS filter