URL parsing broken on OS X?

[daniel314]

I'm having a problem with NoScript on Firefox 12, in OS X (Macintosh). This problem doesn't occur in Windows. Disabling the NoScript extention under OS X resolves the problem. This problem occurs with the latest development build of NoScript (2.4.4rc1) as well.

When NoScript is enabled (in OS X), the following URLs get mangled when being sent to the web server:

http://graphite.coloradomesa.edu/render?target=threshold(10,%27Warning%27)&target=aliasSub(scale(averageAbove(groupByNode(vmstats.*.cpu.ready.*.summation,1,%27averageSeries%27),75),0.005),%27.*[(](.*),0.0[)]%27,%27\1%27)&hideLegend=false&from=-4h&height=1200&width=999&vtitle=%RDYCPU

http://graphite.coloradomesa.edu/render?target=threshold%2810,%27Warning%27%29&target=aliasSub%28scale%28averageAbove%28groupByNode%28vmstats.*.cpu.ready.*.summation,1,%27averageSeries%27%29,75%29,0.005%29,%27.*%5B%28%5D%28.*%29,0.0%5B%29%5D%27,%27%5C1%27%29&hideLegend=false&from=-4h&height=1200&width=999&vtitle=%25RDYCPU


Using ngrep, I see it requesting the following page from the web server:
GET /render?target=threshold%2010%2C%20Warning%20%20&target=aliasSub%20scale%20averageAbove%20groupByNode%20vmstats.*.cpu.ready.*.summation%2C1%2C%20averageSeries%20%20%2C75%20%2C0.005%20%2C%20.*%20%20%20%20.*%20%2C0.0%20%20%20%20%2C%20%201%20%20&hideLegend=false&from=-4h&height=1200&width=999&vtitle=%RDYCPU


When NoScript is disabled, it requests the following page instead:
GET /render?target=threshold%2810,%27Warning%27%29&target=aliasSub%28scale%28averageAbove%28groupByNode%28vmstats.*.cpu.ready.*.summation,1,%27averageSeries%27%29,75%29,0.005%29,%27.*%5B%28%5D%28.*%29,0.0%5B%29%5D%27,%27%5C1%27%29&hideLegend=false&from=-4h&height=1200&width=999&vtitle=%25RDYCPU

Thoughts?

[Giorgio Maone]

It seems the XSS filter being triggered by the JavaScript-compatible syntax used in your URLs.

Could you please search your Error Console (Ctrl+Shift+J) for [NoScript XSS] lines when this happens and provide more details on the web application and its use cases?

Thanks.

[daniel314]

(I'm still restructuring data -- the URL changed slightly. Here is the new URL as it appears in the raw link in a web page:

http://graphite.coloradomesa.edu/render?target=threshold%2810,%27Warning%27%29&target=aliasSub%28scale%28averageAbove%28groupByNode%28vmstats.vcenter.vm.*.cpu.ready.*.summatio
n,1,%27averageSeries%27%29,75%29,0.005%29,%27.*%5B%28%5D%28.*%29,0.0%5B%29%5D%27,%27%5C1%27%29&hideLegend=false&from=-4h&height=1200&width=999&yMin=0&vtitle=%25RDYCPU

Looked at the Error Console in Firefox, the following two lines are emitted when I click on the link:

[NoScript InjectionChecker] JavaScript Injection in coalesced:///rendertarget=threshold(10,'Warning'), aliasSub(scale(averageAbove(groupByNode(vmstats.vcenter.vm.*.cpu.ready.*.summation,1,'averageSeries'),75),0.005),'.*[(](.*),0.0[)]','\1')&hideLegend=false&from=-4h&height=1200&width=999&yMin=0&vtitle=%RDYCPU
(function anonymous() {rendertarget = threshold(10, "Warning"), aliasSub(scale(averageAbove(groupByNode(vmstats.vcenter.vm.*.cpu.ready.*.summation, 1, "averageSeries"), 75), 0.005), ".*[(](.*),0.0[)]", "\x01");DUMMY_EXPR;})

[NoScript XSS] Sanitized suspicious request. Original URL [http://graphite.coloradomesa.edu/render?target=threshold%2810,%27Warning%27%29&target=aliasSub%28scale%28averageAbove%28groupByNode%28vmstats.vcenter.vm.*.cpu.ready.*.summation,1,%27averageSeries%27%29,75%29,0.005%29,%27.*%5B%28%5D%28.*%29,0.0%5B%29%5D%27,%27%5C1%27%29&hideLegend=false&from=-4h&height=1200&width=999&yMin=0&vtitle=%25RDYCPU] requested from [http://logger.coloradomesa.edu/~mrtg/]. Sanitized URL: [http://graphite.coloradomesa.edu/render?target=threshold%2010%2C%20Warning%20%20&target=aliasSub%20scale%20averageAbove%20groupByNode%20vmstats.vcenter.vm.*.cpu.ready.*.summation%2C1%2C%20averageSeries%20%20%2C75%20%2C0.005%20%2C%20.*%20%20%20%20.*%20%2C0.0%20%20%20%20%2C%20%201%20%20&hideLegend=false&from=-4h&height=1200&width=999&yMin=0&vtitle=%25RDYCPU#4792754045911972463].


The application is the Graphite rendering engine, for visualizing statistics. The URL tells the rendering engine what stats to process and which ones to display. When the "scrambled" (i.e. broken) URL is passed to the web server, the rendering engine fails to properly process it and reports "No data" back as a result. Looking at the "final" URL in the web browser, I see that all of the parens (both opening and closing ones %28 and %29), are turned into spaces (%20).

Does that answer your question?
Thanks.

[Giorgio Maone]

The problem is that the data you pass is syntactically valid and relatively complex JavaScript, and therefore triggers the filter.

You can work-around by adding the following line to your NoScript Options|Advanced|XSS exceptions box:

Code: Select all

^https?://graphite\.coloradomesa\.edu/render\?

[daniel314]

That resolved my problem -- thanks!
(It seems odd that NoScript only modified the URL under OS X, though....)

[Thrawn]

That resolved my problem -- thanks!
(It seems odd that NoScript only modified the URL under OS X, though....)

As usual, I suggest that whenever you add an XSS exception, you should protect the site with ABE, to prevent actual attacks:

Code: Select all

Site .graphite.coloradomesa.edu
Accept from SELF
Deny

You might find that you need to tweak it according to your actual usage. Eg if you swap between http and https, you'll need to change SELF to SELF+, and if you interact with other subdomains of coloradomesa.edu, then you'll need to change it to SELF++. But even SELF++ should stop the general internet from launching any cross-site attack.