InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

[Possible False Positives] XSS

https://forums.informaction.com/viewtopic.php?t=8950

Page 1 of 1

[Possible False Positives] XSS

Posted: Fri Jun 29, 2012 2:51 am
by Joe Pistachio
Happens with the latest 2 (or 3) stable versions of NoScript, while there was no alert, previously:

This one happens on BayFiles, on pages such as .

Log from the error console:

Code: Select all

[NoScript XSS] Sanitized suspicious request. Original URL [http://bayfiles.com/file/dUNf/sk6Epj/Bachman%2CRichard%28King%2CStephen%29-Running_man.%28The_Running_man%29.%281982%29.French.ebook.AlexandriZ.rar] requested from [http://www.teamalexandriz.org/dw.php?f=Bachman%2CRichard%28King%2CStephen%29-Running+man%28The+Running+man%29%281982%29.French.ebook.AlexandriZ]. Sanitized URL: [http://bayfiles.com/file/dUNf/sk6Epj/Bachman,Richard%20King,Stephen%20-Running_man.%20The_Running_man%20.%201982%20.French.ebook.AlexandriZ.rar#24127809571007952758].

[NoScript XSS] Sanitized suspicious referrer request. Original URL [http://bayfiles.com/file/dUNf/sk6Epj/Bachman%2CRichard%28King%2CStephen%29-Running_man.%28The_Running_man%29.%281982%29.French.ebook.AlexandriZ.rar (REF: http://www.teamalexandriz.org/dw.php?f=Bachman%2CRichard%28King%2CStephen%29-Running+man%28The+Running+man%29%281982%29.French.ebook.AlexandriZ)] requested from [http://www.teamalexandriz.org/dw.php?f=Bachman%2CRichard%28King%2CStephen%29-Running+man%28The+Running+man%29%281982%29.French.ebook.AlexandriZ]. Sanitized  referrer: [http://www.teamalexandriz.org/dw.php?f=Bachman%2CRichard%20King%2CStephen%20-Running+man%20The+Running+man%20%201982%20.French.ebook.AlexandriZ].

[NoScript InjectionChecker] JavaScript Injection in ///dw.php?f=Bachman,Richard(King,Stephen)-Running+man(The+Running+man)(1982).French.ebook.AlexandriZ
(function anonymous() {f = Bachman, Richard(King, Stephen) - Running + man(The + Running + man)(1982).French.ebook.AlexandriZ;DUMMY_EXPR;})

[NoScript InjectionChecker] JavaScript Injection in ///file/dUNf/sk6Epj/Bachman,Richard(King,Stephen)-Running_man.(The_Running_man).(1982).French.ebook.AlexandriZ.rar
(function anonymous() {file / dUNf / sk6Epj / Bachman, Richard(King, Stephen) - Running_man.(The_Running_man).((1982)).French.ebook.AlexandriZ.rar;DUMMY_EXPR;})
The page has to be reloaded unsecured, otherwise you get a "Invalid security token. Please check your link." from BayFiles and therefore can't download.




This one happens on pages such as http://www.teamalexandriz.org/dw.php?f= ... 4508109869

Log from the error console:

Code: Select all

[NoScript XSS] Sanitized suspicious request. Original URL [http://www.teamalexandriz.org/dw.php?f=Bachman%2CRichard%28King%2CStephen%29-Running+man%28The+Running+man%29%281982%29.French.ebook.AlexandriZ] requested from [chrome://browser/content/browser.xul]. Sanitized URL: [http://www.teamalexandriz.org/dw.php?f=Bachman%2CRichard%20King%2CStephen%20-Running+man%20The+Running+man%20%201982%20.French.ebook.AlexandriZ#6640088919449771167].

[NoScript InjectionChecker] JavaScript Injection in ///dw.php?f=Bachman,Richard(King,Stephen)-Running+man(The+Running+man)(1982).French.ebook.AlexandriZ
(function anonymous() {f = Bachman, Richard(King, Stephen) - Running + man(The + Running + man)(1982).French.ebook.AlexandriZ;DUMMY_EXPR;})



This one is trivial, since you have to use the Update Scanner add-on.
It then depends on the pages you add to Update Scanner, but it particularly shows on pages from Userscripts, such as http://userscripts.org/scripts/review/69797.
Upon opening said pages from Update Scanner (the address being of the form chrome://updatescan/content/diffPage.xul?id=11467&title=Source%20for%20%22RedirectionHelper%22%20-%20Userscripts.org&url=http%3A//userscripts.org/scripts/review/69797&oldDate=yesterday%20%E0%2015%3A15&newDate=today%27hui%20%E0%203%3A37&delay=0 ), you'll get a XSS alert from [about:blank].

Re: [Possible False Positives] XSS

Posted: Fri Jun 29, 2012 10:36 am
by Thrawn
Joe Pistachio wrote:

Code: Select all

[NoScript XSS] Sanitized suspicious request. Original URL [http://bayfiles.com/file/dUNf/sk6Epj/Bachman%2CRichard%28King%2CStephen%29-Running_man.%28The_Running_man%29.%281982%29.French.ebook.AlexandriZ.rar] requested from [http://www.teamalexandriz.org/dw.php?f=Bachman%2CRichard%28King%2CStephen%29-Running+man%28The+Running+man%29%281982%29.French.ebook.AlexandriZ]. Sanitized URL: [http://bayfiles.com/file/dUNf/sk6Epj/Bachman,Richard%20King,Stephen%20-Running_man.%20The_Running_man%20.%201982%20.French.ebook.AlexandriZ.rar#24127809571007952758].

[NoScript XSS] Sanitized suspicious referrer request. Original URL [http://bayfiles.com/file/dUNf/sk6Epj/Bachman%2CRichard%28King%2CStephen%29-Running_man.%28The_Running_man%29.%281982%29.French.ebook.AlexandriZ.rar (REF: http://www.teamalexandriz.org/dw.php?f=Bachman%2CRichard%28King%2CStephen%29-Running+man%28The+Running+man%29%281982%29.French.ebook.AlexandriZ)] requested from [http://www.teamalexandriz.org/dw.php?f=Bachman%2CRichard%28King%2CStephen%29-Running+man%28The+Running+man%29%281982%29.French.ebook.AlexandriZ]. Sanitized  referrer: [http://www.teamalexandriz.org/dw.php?f=Bachman%2CRichard%20King%2CStephen%20-Running+man%20The+Running+man%20%201982%20.French.ebook.AlexandriZ].

[NoScript InjectionChecker] JavaScript Injection in ///dw.php?f=Bachman,Richard(King,Stephen)-Running+man(The+Running+man)(1982).French.ebook.AlexandriZ
(function anonymous() {f = Bachman, Richard(King, Stephen) - Running + man(The + Running + man)(1982).French.ebook.AlexandriZ;DUMMY_EXPR;})

[NoScript InjectionChecker] JavaScript Injection in ///file/dUNf/sk6Epj/Bachman,Richard(King,Stephen)-Running_man.(The_Running_man).(1982).French.ebook.AlexandriZ.rar
(function anonymous() {file / dUNf / sk6Epj / Bachman, Richard(King, Stephen) - Running_man.(The_Running_man).((1982)).French.ebook.AlexandriZ.rar;DUMMY_EXPR;})
The URL in question does indeed look very much like JavaScript, especially when you look at the [NoScript InjectionChecker] entries. Not the best page design, but I doubt they're going to change it. I'd suggest writing an XSS filter exception (Options-Advanced-XSS), and protecting the site with an ABE rule similar to:

Code: Select all

Site .bayfiles.com
Accept from SELF++
Deny
You'll need to know regular expression syntax to write the XSS filter exception; if that's beyond you, then you can ask for help here (or ask a search engine).
Joe Pistachio wrote: This one happens on pages such as http://www.teamalexandriz.org/dw.php?f= ... 4508109869
As above.
Joe Pistachio wrote: This one is trivial, since you have to use the Update Scanner add-on.
It then depends on the pages you add to Update Scanner, but it particularly shows on pages from Userscripts, such as http://userscripts.org/scripts/review/69797.
Upon opening said pages from Update Scanner (the address being of the form chrome://updatescan/content/diffPage.xul?id=11467&title=Source%20for%20%22RedirectionHelper%22%20-%20Userscripts.org&url=http%3A//userscripts.org/scripts/review/69797&oldDate=yesterday%20%E0%2015%3A15&newDate=today%27hui%20%E0%203%3A37&delay=0 ), you'll get a XSS alert from [about:blank].
I presume that XSS filter exceptions work for chrome URLs? Can anyone confirm this?
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited