[Possible False Positives] XSS

Ask for help about NoScript, no registration needed to post
Post Reply
Joe Pistachio

[Possible False Positives] XSS

Post by Joe Pistachio »

Happens with the latest 2 (or 3) stable versions of NoScript, while there was no alert, previously:

This one happens on BayFiles, on pages such as .

Log from the error console:

Code: Select all

[NoScript XSS] Sanitized suspicious request. Original URL [http://bayfiles.com/file/dUNf/sk6Epj/Bachman%2CRichard%28King%2CStephen%29-Running_man.%28The_Running_man%29.%281982%29.French.ebook.AlexandriZ.rar] requested from [http://www.teamalexandriz.org/dw.php?f=Bachman%2CRichard%28King%2CStephen%29-Running+man%28The+Running+man%29%281982%29.French.ebook.AlexandriZ]. Sanitized URL: [http://bayfiles.com/file/dUNf/sk6Epj/Bachman,Richard%20King,Stephen%20-Running_man.%20The_Running_man%20.%201982%20.French.ebook.AlexandriZ.rar#24127809571007952758].

[NoScript XSS] Sanitized suspicious referrer request. Original URL [http://bayfiles.com/file/dUNf/sk6Epj/Bachman%2CRichard%28King%2CStephen%29-Running_man.%28The_Running_man%29.%281982%29.French.ebook.AlexandriZ.rar (REF: http://www.teamalexandriz.org/dw.php?f=Bachman%2CRichard%28King%2CStephen%29-Running+man%28The+Running+man%29%281982%29.French.ebook.AlexandriZ)] requested from [http://www.teamalexandriz.org/dw.php?f=Bachman%2CRichard%28King%2CStephen%29-Running+man%28The+Running+man%29%281982%29.French.ebook.AlexandriZ]. Sanitized  referrer: [http://www.teamalexandriz.org/dw.php?f=Bachman%2CRichard%20King%2CStephen%20-Running+man%20The+Running+man%20%201982%20.French.ebook.AlexandriZ].

[NoScript InjectionChecker] JavaScript Injection in ///dw.php?f=Bachman,Richard(King,Stephen)-Running+man(The+Running+man)(1982).French.ebook.AlexandriZ
(function anonymous() {f = Bachman, Richard(King, Stephen) - Running + man(The + Running + man)(1982).French.ebook.AlexandriZ;DUMMY_EXPR;})

[NoScript InjectionChecker] JavaScript Injection in ///file/dUNf/sk6Epj/Bachman,Richard(King,Stephen)-Running_man.(The_Running_man).(1982).French.ebook.AlexandriZ.rar
(function anonymous() {file / dUNf / sk6Epj / Bachman, Richard(King, Stephen) - Running_man.(The_Running_man).((1982)).French.ebook.AlexandriZ.rar;DUMMY_EXPR;})
The page has to be reloaded unsecured, otherwise you get a "Invalid security token. Please check your link." from BayFiles and therefore can't download.




This one happens on pages such as http://www.teamalexandriz.org/dw.php?f= ... 4508109869

Log from the error console:

Code: Select all

[NoScript XSS] Sanitized suspicious request. Original URL [http://www.teamalexandriz.org/dw.php?f=Bachman%2CRichard%28King%2CStephen%29-Running+man%28The+Running+man%29%281982%29.French.ebook.AlexandriZ] requested from [chrome://browser/content/browser.xul]. Sanitized URL: [http://www.teamalexandriz.org/dw.php?f=Bachman%2CRichard%20King%2CStephen%20-Running+man%20The+Running+man%20%201982%20.French.ebook.AlexandriZ#6640088919449771167].

[NoScript InjectionChecker] JavaScript Injection in ///dw.php?f=Bachman,Richard(King,Stephen)-Running+man(The+Running+man)(1982).French.ebook.AlexandriZ
(function anonymous() {f = Bachman, Richard(King, Stephen) - Running + man(The + Running + man)(1982).French.ebook.AlexandriZ;DUMMY_EXPR;})



This one is trivial, since you have to use the Update Scanner add-on.
It then depends on the pages you add to Update Scanner, but it particularly shows on pages from Userscripts, such as http://userscripts.org/scripts/review/69797.
Upon opening said pages from Update Scanner (the address being of the form chrome://updatescan/content/diffPage.xul?id=11467&title=Source%20for%20%22RedirectionHelper%22%20-%20Userscripts.org&url=http%3A//userscripts.org/scripts/review/69797&oldDate=yesterday%20%E0%2015%3A15&newDate=today%27hui%20%E0%203%3A37&delay=0 ), you'll get a XSS alert from [about:blank].
Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0.1
Top
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:
Contact Thrawn

Re: [Possible False Positives] XSS

Post by Thrawn »

Joe Pistachio wrote:

Code: Select all

[NoScript XSS] Sanitized suspicious request. Original URL [http://bayfiles.com/file/dUNf/sk6Epj/Bachman%2CRichard%28King%2CStephen%29-Running_man.%28The_Running_man%29.%281982%29.French.ebook.AlexandriZ.rar] requested from [http://www.teamalexandriz.org/dw.php?f=Bachman%2CRichard%28King%2CStephen%29-Running+man%28The+Running+man%29%281982%29.French.ebook.AlexandriZ]. Sanitized URL: [http://bayfiles.com/file/dUNf/sk6Epj/Bachman,Richard%20King,Stephen%20-Running_man.%20The_Running_man%20.%201982%20.French.ebook.AlexandriZ.rar#24127809571007952758].

[NoScript XSS] Sanitized suspicious referrer request. Original URL [http://bayfiles.com/file/dUNf/sk6Epj/Bachman%2CRichard%28King%2CStephen%29-Running_man.%28The_Running_man%29.%281982%29.French.ebook.AlexandriZ.rar (REF: http://www.teamalexandriz.org/dw.php?f=Bachman%2CRichard%28King%2CStephen%29-Running+man%28The+Running+man%29%281982%29.French.ebook.AlexandriZ)] requested from [http://www.teamalexandriz.org/dw.php?f=Bachman%2CRichard%28King%2CStephen%29-Running+man%28The+Running+man%29%281982%29.French.ebook.AlexandriZ]. Sanitized  referrer: [http://www.teamalexandriz.org/dw.php?f=Bachman%2CRichard%20King%2CStephen%20-Running+man%20The+Running+man%20%201982%20.French.ebook.AlexandriZ].

[NoScript InjectionChecker] JavaScript Injection in ///dw.php?f=Bachman,Richard(King,Stephen)-Running+man(The+Running+man)(1982).French.ebook.AlexandriZ
(function anonymous() {f = Bachman, Richard(King, Stephen) - Running + man(The + Running + man)(1982).French.ebook.AlexandriZ;DUMMY_EXPR;})

[NoScript InjectionChecker] JavaScript Injection in ///file/dUNf/sk6Epj/Bachman,Richard(King,Stephen)-Running_man.(The_Running_man).(1982).French.ebook.AlexandriZ.rar
(function anonymous() {file / dUNf / sk6Epj / Bachman, Richard(King, Stephen) - Running_man.(The_Running_man).((1982)).French.ebook.AlexandriZ.rar;DUMMY_EXPR;})
The URL in question does indeed look very much like JavaScript, especially when you look at the [NoScript InjectionChecker] entries. Not the best page design, but I doubt they're going to change it. I'd suggest writing an XSS filter exception (Options-Advanced-XSS), and protecting the site with an ABE rule similar to:

Code: Select all

Site .bayfiles.com
Accept from SELF++
Deny
You'll need to know regular expression syntax to write the XSS filter exception; if that's beyond you, then you can ask for help here (or ask a search engine).
Joe Pistachio wrote: This one happens on pages such as http://www.teamalexandriz.org/dw.php?f= ... 4508109869
As above.
Joe Pistachio wrote: This one is trivial, since you have to use the Update Scanner add-on.
It then depends on the pages you add to Update Scanner, but it particularly shows on pages from Userscripts, such as http://userscripts.org/scripts/review/69797.
Upon opening said pages from Update Scanner (the address being of the form chrome://updatescan/content/diffPage.xul?id=11467&title=Source%20for%20%22RedirectionHelper%22%20-%20Userscripts.org&url=http%3A//userscripts.org/scripts/review/69797&oldDate=yesterday%20%E0%2015%3A15&newDate=today%27hui%20%E0%203%3A37&delay=0 ), you'll get a XSS alert from [about:blank].
I presume that XSS filter exceptions work for chrome URLs? Can anyone confirm this?
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
Top
Post Reply

Return to “NoScript Support”