InformAction Forums

Posted: **Fri May 11, 2012 2:31 pm**

We ran into a bit of a problem when using Buy.com SellerTools - there's a false positive when uploading inventory feeds.

To replicate login to Buy.com, go to: https://sellertools.marketplace.buy.com ... pload.aspx

You will be redirected here on file upload - http://trade.marketplace.buy.com/FileUpload.aspx

Here's the feedback from console:

Code: Select all

[NoScript InjectionChecker] HTML injection:
<script
matches <[^\w<>]*(?:[^<>"'\s]*:)?[^\w<>]*(?:\W*s\W*c\W*r\W*i\W*p\W*t|\W*f\W*o\W*r\W*m|\W*s\W*t\W*y\W*l\W*e|\W*s\W*v\W*g|\W*m\W*a\W*r\W*q\W*u\W*e\W*e|(?:\W*l\W*i\W*n\W*k|\W*o\W*b\W*j\W*e\W*c\W*t|\W*e\W*m\W*b\W*e\W*d|\W*a\W*p\W*p\W*l\W*e\W*t|\W*p\W*a\W*r\W*a\W*m|\W*i?\W*f\W*r\W*a\W*m\W*e|\W*b\W*a\W*s\W*e|\W*b\W*o\W*d\W*y|\W*m\W*e\W*t\W*a|\W*i\W*m\W*a?\W*g\W*e?|\W*v\W*i\W*d\W*e\W*o|\W*a\W*u\W*d\W*i\W*o|\W*b\W*i\W*n\W*d\W*i\W*n\W*g\W*s|\W*s\W*e\W*t|\W*a\W*n\W*i\W*m\W*a\W*t\W*e)[^>\w])|(?:<\w[\s\S]*[\s\/]|['"](?:[\s\S]*[\s\/])?)(?:formaction|style|background|src|lowsrc|ping|on(?:e(?:rror(?:update)?|nd)|c(?:o(?:nt(?:extmenu|rolselect)|py)|ut|lick|(?:ellc)?hange)|m(?:o(?:ve(?:end|start)?|use(?:o(?:ut|ver)|up|(?:mo|lea)ve|down|wheel|enter))|essage)|lo(?:ad|secapture)|d(?:r(?:ag(?:en(?:d|ter)|drop|over|leave|start)?|op)|ata(?:setc(?:hanged|omplete)|available)|blclick|eactivate)|s(?:t(?:op|art)|elect(?:start)?|croll|ubmit)|b(?:e(?:for(?:e(?:c(?:ut|opy)|p(?:aste|rint)|u(?:pdate|nload)|activate|editfocus)|deactivate)|gin)|lur|ounce)|p(?:ast|ropertychang)e|key(?:up|down|press)|f(?:o(?:cus(?:in|out)?|rm(?:input|change))|i(?:nish|lterchange))|in(?:put|valid)|a(?:fter(?:print|update)|bort|ctivate)|r(?:e(?:s(?:et|ize)|peat|adystatechange)|ow(?:e(?:xit|nter)|s(?:delete|inserted)))|zoom|help|unload))[\s\x08]*=

Code: Select all

[NoScript XSS] Sanitized suspicious upload to [http://trade.marketplace.buy.com/FileUpload.aspx###DATA###/wEPDwULLTE5NDA0MDYzNTYPZBYCZg9kFgRmD2QWBAIBDxYCHgRUZXh0BT08c2NyaXB0IHR5cGU9InRleHQvamF2YXNjcmlwdCIgc3JjPSIvTVBTVFNjcmlwdC5qcyI+PC9zY3JpcHQ+ZAIDDxYCHgRocmVmBQ8vTVBTVFN0eWxlcy5jc3NkAgEPFgIeB2VuY3R5cGUFE211bHRpcGFydC9mb3JtLWRhdGEWCmYPFgIfAAUgU2VsbGVyIEFjY291bnQgZm9yIFRoaW5rRmFzdFRveXNkAgEPFgIfAAUOIC0gVXBsb2FkIEZpbGVkAgIPZBYCAgEPDxYCHgtOYXZpZ2F0ZVVybAUoaHR0cHM6Ly9zZWxsZXJ0b29scy5tYXJrZXRwbGFjZS5idXkuY29tL2RkAgQPZBYGZg8PFgIfAGVkZAICDw8WAh4LUG9zdEJhY2tVcmwFMGh0dHA6Ly90cmFkZS5tYXJrZXRwbGFjZS5idXkuY29tL0ZpbGVVcGxvYWQuYXNweGRkAgMPFgIfAAXgATxpbnB1dCB0eXBlPSJIaWRkZW4iIG5hbWU9IlNob3BwZXJOdW0iIHZhbHVlPSJEOTg1NUQ4NTM1QzZEM0ZBQTA0QzgwMTA0Q0M5RjUxMEQwNzI2MkQyNEI2RTFDRkVDRjY3OUFBQkIzNjAwNEQ0Ii8+PGlucHV0IHR5cGU9IkhpZGRlbiIgbmFtZT0iUmVkaXJlY3RVcmwiIHZhbHVlPSJodHRwczovL3NlbGxlcnRvb2xzLm1hcmtldHBsYWNlLmJ1eS5jb20vU2VsbGVyRmlsZVVwbG9hZC5hc3B4Ii8+ZAIFDxYCHwAFBDIwMTJkZP1oB2pezyVS5GM68r0N9T0LABRO
] from [https://sellertools.marketplace.buy.com/SellerFileUpload.aspx]: transformed into a download-only GET request.

Any help on whitelisting this would be appreciated. We had tried several attempts at exceptions but the problem keeps happening unless NoScript is totally disabled.

Posted: **Fri May 11, 2012 8:23 pm**

Add the following line to your NoScript Options|Advanced|XSS exception box:

Code: Select all

^@https://sellertools\.marketplace\.buy\.com/SellerFileUpload\.aspx$

Posted: **Mon May 14, 2012 5:34 pm**

Thanks for the response, unfortunately it still blocks the script even with the exception added.

Code: Select all

[NoScript InjectionChecker] HTML injection:
<script
matches <[^\w<>]*(?:[^<>"'\s]*:)?[^\w<>]*(?:\W*s\W*c\W*r\W*i\W*p\W*t|\W*f\W*o\W*r\W*m|\W*s\W*t\W*y\W*l\W*e|\W*s\W*v\W*g|\W*m\W*a\W*r\W*q\W*u\W*e\W*e|(?:\W*l\W*i\W*n\W*k|\W*o\W*b\W*j\W*e\W*c\W*t|\W*e\W*m\W*b\W*e\W*d|\W*a\W*p\W*p\W*l\W*e\W*t|\W*p\W*a\W*r\W*a\W*m|\W*i?\W*f\W*r\W*a\W*m\W*e|\W*b\W*a\W*s\W*e|\W*b\W*o\W*d\W*y|\W*m\W*e\W*t\W*a|\W*i\W*m\W*a?\W*g\W*e?|\W*v\W*i\W*d\W*e\W*o|\W*a\W*u\W*d\W*i\W*o|\W*b\W*i\W*n\W*d\W*i\W*n\W*g\W*s|\W*s\W*e\W*t|\W*a\W*n\W*i\W*m\W*a\W*t\W*e)[^>\w])|(?:<\w[\s\S]*[\s\/]|['"](?:[\s\S]*[\s\/])?)(?:formaction|style|background|src|lowsrc|ping|on(?:e(?:rror(?:update)?|nd)|c(?:o(?:nt(?:extmenu|rolselect)|py)|ut|lick|(?:ellc)?hange)|m(?:o(?:ve(?:end|start)?|use(?:o(?:ut|ver)|up|(?:mo|lea)ve|down|wheel|enter))|essage)|lo(?:ad|secapture)|d(?:r(?:ag(?:en(?:d|ter)|drop|over|leave|start)?|op)|ata(?:setc(?:hanged|omplete)|available)|blclick|eactivate)|s(?:t(?:op|art)|elect(?:start)?|croll|ubmit)|b(?:e(?:for(?:e(?:c(?:ut|opy)|p(?:aste|rint)|u(?:pdate|nload)|activate|editfocus)|deactivate)|gin)|lur|ounce)|p(?:ast|ropertychang)e|key(?:up|down|press)|f(?:o(?:cus(?:in|out)?|rm(?:input|change))|i(?:nish|lterchange))|in(?:put|valid)|a(?:fter(?:print|update)|bort|ctivate)|r(?:e(?:s(?:et|ize)|peat|adystatechange)|ow(?:e(?:xit|nter)|s(?:delete|inserted)))|zoom|help|unload))[\s\x08]*=

Code: Select all

[NoScript XSS] Sanitized suspicious upload to [http://trade.marketplace.buy.com/FileUpload.aspx###DATA###/wEPDwULLTE5NDA0MDYzNTYPZBYCZg9kFgRmD2QWBAIBDxYCHgRUZXh0BT08c2NyaXB0IHR5cGU9InRleHQvamF2YXNjcmlwdCIgc3JjPSIvTVBTVFNjcmlwdC5qcyI+PC9zY3JpcHQ+ZAIDDxYCHgRocmVmBQ8vTVBTVFN0eWxlcy5jc3NkAgEPFgIeB2VuY3R5cGUFE211bHRpcGFydC9mb3JtLWRhdGEWCmYPFgIfAAUgU2VsbGVyIEFjY291bnQgZm9yIFRoaW5rRmFzdFRveXNkAgEPFgIfAAUOIC0gVXBsb2FkIEZpbGVkAgIPZBYCAgEPDxYCHgtOYXZpZ2F0ZVVybAUoaHR0cHM6Ly9zZWxsZXJ0b29scy5tYXJrZXRwbGFjZS5idXkuY29tL2RkAgQPZBYGZg8PFgIfAAV0PHVsPjxsaT5ObyBmaWxlIHdhcyB1cGxvYWRlZC4gUGxlYXNlIGJlIHN1cmUgdG8gc2VsZWN0IHRoZSBhcHByb3ByaWF0ZSBmaWxlIHR5cGUgYW5kIHNwZWNpZnkgYSB2YWxpZCBmaWxlLjwvbGk+PC91bD5kZAICDw8WAh4LUG9zdEJhY2tVcmwFMGh0dHA6Ly90cmFkZS5tYXJrZXRwbGFjZS5idXkuY29tL0ZpbGVVcGxvYWQuYXNweGRkAgMPFgIfAAXgATxpbnB1dCB0eXBlPSJIaWRkZW4iIG5hbWU9IlNob3BwZXJOdW0iIHZhbHVlPSI0MjI1QjAxN0IwQTA4MUY0QTQ4MERBNDlBMjA1OUVBMDE1RjE1NzkzNkE0Q0ZCQ0NCN0EyQjNBNzBCN0M1MjlFIi8+PGlucHV0IHR5cGU9IkhpZGRlbiIgbmFtZT0iUmVkaXJlY3RVcmwiIHZhbHVlPSJodHRwczovL3NlbGxlcnRvb2xzLm1hcmtldHBsYWNlLmJ1eS5jb20vU2VsbGVyRmlsZVVwbG9hZC5hc3B4Ii8+ZAIFDxYCHwAFBDIwMTJkZC16souKOn76TdXY3G+DYekfdFVD
] from [https://sellertools.marketplace.buy.com/SellerFileUpload.aspx?0=0&rc=4]: transformed into a download-only GET request.

Posted: **Mon May 14, 2012 6:23 pm**

OK please try replacing the previous exception with:

Code: Select all

^@https://sellertools\.marketplace\.buy\.com/SellerFileUpload\.aspx

(notice I removed the trailing "$").

Posted: **Tue May 15, 2012 4:50 pm**

This works perfectly, thank you for your help!

Posted: **Tue May 15, 2012 8:50 pm**

Might also want to protect the site with ABE, eg:

Code: Select all

Site .buy.com
Accept from SELF++
Deny

just in case there's a real XSS attack at some point.

InformAction Forums

[Resolved] Buy.com SellerTools XSS FalsePositive

[Resolved] Buy.com SellerTools XSS FalsePositive

Re: Buy.com SellerTools XSS FalsePositive

Re: Buy.com SellerTools XSS FalsePositive

Re: Buy.com SellerTools XSS FalsePositive

Re: Buy.com SellerTools XSS FalsePositive

Re: Buy.com SellerTools XSS FalsePositive