Page 1 of 1
XSS + live.com + visualstudiogallery.msdn.microsoft.com
Posted: Fri Jul 27, 2012 7:44 am
by DanyR
Hi,
since V2.4.9 (or maybe an update to
login.live.com) I can not browse the
visualstudiogallery.msdn.microsoft.com anymore while logged in to
live.com due to a message stating (translated from German):
Now I'm not able to work with my contributions.
How can I fix this (or may be you)?
Cheers,
Dany
Topic moved from NoScript General
Re: XSS + live.com + visualstudiogallery.msdn.microsoft.com
Posted: Fri Jul 27, 2012 7:48 am
by Thrawn
Hi, Dani. It's possible to exempt a site from XSS checks, but first you should ensure that it is actually immune to XSS attacks. I also recommend adding an ABE rule to protect the whitelisted site.
Can you post the full addresses from the error message? Or copy it from Tools-Error Console? German is ok, only the addresses matter.
Re: XSS + live.com + visualstudiogallery.msdn.microsoft.com
Posted: Fri Jul 27, 2012 8:09 am
by DanyR
Hi Thrawn,
I'm a bit lost, because when I open the Console there are only info and warning entries and no error.
There are some messages with a question mark:
Code: Select all
[NoScript InjectionChecker] ...
[NoScript XSS] Ein verdächtiger Upload zu [https://visualstudiogallery.msdn.microsoft.com/74ecfb4f-6245-4942-a5b2-67aaacd49415?stoAI=10&wa=wsignin1.0###DATA###...
It affects all sites from
https://visualstudiogallery.msdn.microsoft.com
Thanks,
Dany
Re: XSS + live.com + visualstudiogallery.msdn.microsoft.com
Posted: Fri Jul 27, 2012 5:44 pm
by DanyR
Hmm,
I just created a new profile for FF and installed solely NoScript. Here, everything is fine with that site. But why now? Why after the NoScript update (nothing else has been updated AFAIK)?
Edit:
Even with all other extensions disabled it is not working with my old profile.
Cheers,
Dany
Re: XSS + live.com + visualstudiogallery.msdn.microsoft.com
Posted: Fri Jul 27, 2012 6:48 pm
by Giorgio Maone
Could you show me the entire message?
Could you try using NoScript Options|Export for future reference, then NoScript Options|Reset?
Re: XSS + live.com + visualstudiogallery.msdn.microsoft.com
Posted: Fri Jul 27, 2012 7:23 pm
by DanyR
Hi Giorgio,
thank you.
I just discovered, that disabling scripts for
microsoft.com prior to logging in and temporarily enabling afterwards will "work around" the XSS message.
Another workaround is an exception in XSS settings, I'm not really comfortable with:
Code: Select all
^https://visualstudiogallery\.msdn\.microsoft\.com/.*
This is what the "unsafe reload" (or so) dialog says:
Code: Select all
UNSICHERES Nachladen eines verdächtigen
POST [https://visualstudiogallery.msdn.microsoft.com/74ecfb4f-6245-4942-a5b2-67aaacd49415/stats?stoAI=10&w
a=wsignin1.0]
von [https://login.live.com/login.srf?wa=wsignin1.0&wtrealm=visualstudiogallery.msdn.microsoft.com&wreply
=https%3a%2f%2fvisualstudiogallery.msdn.microsoft.com%2f74ecfb4f-6245-4942-a5b2-67aaacd49415%2fstats
%3fstoAI%3d10&wp=MBI_FED_SSL&wlcxt=microsoft%24microsoft%24microsoft]
NoScript wird diese Anfrage nicht schützen!
Sind Sie sicher?
This is what the console log says:
Code: Select all
[NoScript InjectionChecker] JavaScript Injection in ##<wst:RequestSecurityTokenResponse xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"><wst:RequestedSecurityToken><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="uuid-17148999-cee1-400d-bee7-c635229c82ff" IssueInstant="2012-07-27T18:26:29Z" Issuer="uri:WindowsLiveID" MajorVersion="1" MinorVersion="1"><saml:Conditions NotBefore="2012-07-27T18:26:29Z" NotOnOrAfter="2012-07-28T02:26:29Z"><saml:AudienceRestrictionCondition><saml:Audience>msdn.microsoft.com</saml:Audience></saml:AudienceRestrictionCondition></saml:Conditions><saml:AuthenticationStatement AuthenticationInstant="2012-07-27T17:58:00Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><saml:Subject><saml:NameIdentifier Format="http://schemas.xmlsoap.org/claims/UPN">###deleted ;-)###@Live.com</saml:NameIdentifier></saml:Subject></saml:AuthenticationStatement><saml:AttributeStatement><saml:Subject><saml:NameIdentifier Format="http://schemas.xmlsoap.org/claims/UPN">###deleted ;-)###@Live.com</saml:NameIdentifier></saml:Subject><saml:Attribute AttributeName="Managed" AttributeNamespace="http://schemas.xmlsoap.org/claims"></saml:Attribute><saml:Attribute AttributeName="Child" AttributeNamespace="http://schemas.xmlsoap.org/claims"></saml:Attribute><saml:Attribute AttributeName="TOUAccepted" AttributeNamespace="http://schemas.xmlsoap.org/claims"></saml:Attribute><saml:Attribute AttributeName="CID" AttributeNamespace="http://schemas.xmlsoap.org/claims"></saml:Attribute><saml:Attribute AttributeName="EmailAddress" AttributeNamespace="http://schemas.xmlsoap.org/claims"><saml:AttributeValue>info@myemailadr.de</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="PUID" AttributeNamespace="http://schemas.xmlsoap.org/claims"></saml:Attribute></saml:AttributeStatement><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod><Reference URI="#uuid-17148999-cee1-400d-bee7-c635229c82ff"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod></Reference></SignedInfo><SignatureValue>###deleted ;-)###</SignatureValue><KeyInfo><X509Data></X509Data><KeyName>Window Live ID</KeyName></KeyInfo></Signature></saml:Assertion></wst:RequestedSecurityToken><wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><wsa:EndpointReference xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"><wsa:Address>http://msdn.microsoft.com</wsa:Address></wsa:EndpointReference></wsp:AppliesTo></wst:RequestSecurityTokenResponse>(function anonymous() {RequestSecurityTokenResponse > <wst:RequestedSecurityToken><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="uuid-17148999-cee1-400d-bee7-c635229c82ff" IssueInstant="2012-07-27T18:26:29Z" Issuer="uri:WindowsLiveID" MajorVersion="1" MinorVersion="1"><saml:Conditions NotBefore="2012-07-27T18:26:29Z" NotOnOrAfter="2012-07-28T02:26:29Z"><saml:AudienceRestrictionCondition><saml:Audience>msdn.microsoft.com</saml:Audience></saml:AudienceRestrictionCondition></saml:Conditions><saml:AuthenticationStatement AuthenticationInstant="2012-07-27T17:58:00Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><saml:Subject><saml:NameIdentifier Format="http:">###deleted ;-)###@Live.com</saml:NameIdentifier></saml:Subject></saml:AuthenticationStatement><saml:AttributeStatement><saml:Subject><saml:NameIdentifier Format="http:">###deleted ;-)###@Live.com</saml:NameIdentifier></saml:Subject><saml:Attribute AttributeName="Managed" AttributeNamespace="http:"></saml:Attribute><saml:Attribute AttributeName="Child" AttributeNamespace="http:"></saml:Attribute><saml:Attribute AttributeName="TOUAccepted" AttributeNamespace="http:"></saml:Attribute><saml:Attribute AttributeName="CID" AttributeNamespace="http:"></saml:Attribute><saml:Attribute AttributeName="EmailAddress" AttributeNamespace="http:"><saml:AttributeValue>info@myemailadr.de</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="PUID" AttributeNamespace="http:"></saml:Attribute></saml:AttributeStatement><Signature xmlns="http:"><SignedInfo><CanonicalizationMethod Algorithm="http:"></CanonicalizationMethod><SignatureMethod Algorithm="http:"></SignatureMethod><Reference URI="#uuid-17148999-cee1-400d-bee7-c635229c82ff"><Transforms><Transform Algorithm="http:"></Transform><Transform Algorithm="http:"></Transform></Transforms><DigestMethod Algorithm="http:"></DigestMethod></Reference></SignedInfo><SignatureValue>###deleted ;-)###</SignatureValue><KeyInfo><X509Data></X509Data><KeyName>Window Live ID</KeyName></KeyInfo></Signature></saml:Assertion></wst:RequestedSecurityToken>;DUMMY_EXPR;})
and
Code: Select all
[NoScript XSS] Ein verdächtiger Upload zu [https://visualstudiogallery.msdn.microsoft.com/74ecfb4f-6245-4942-a5b2-67aaacd49415/stats?stoAI=10&wa=wsignin1.0###DATA###%3Cwst%3ARequestSecurityTokenResponse+xmlns%3Awst%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%22%3E%3Cwst%3ARequestedSecurityToken%3E%3Csaml%3AAssertion+xmlns%3Asaml%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A1.0%3Aassertion%22+AssertionID%3D%22uuid-17148999-cee1-400d-bee7-c635229c82ff%22+IssueInstant%3D%222012-07-27T18%3A26%3A29Z%22+Issuer%3D%22uri%3AWindowsLiveID%22+MajorVersion%3D%221%22+MinorVersion%3D%221%22%3E%3Csaml%3AConditions+NotBefore%3D%222012-07-27T18%3A26%3A29Z%22+NotOnOrAfter%3D%222012-07-28T02%3A26%3A29Z%22%3E%3Csaml%3AAudienceRestrictionCondition%3E%3Csaml%3AAudience%3Emsdn.microsoft.com%3C%2Fsaml%3AAudience%3E%3C%2Fsaml%3AAudienceRestrictionCondition%3E%3C%2Fsaml%3AConditions%3E%3Csaml%3AAuthenticationStatement+AuthenticationInstant%3D%222012-07-27T17%3A58%3A00Z%22+AuthenticationMethod%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A1.0%3Aam%3Apassword%22%3E%3Csaml%3ASubject%3E%3Csaml%3ANameIdentifier+Format%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fclaims%2FUPN%22%3E###deleted ;-)###%40Live.com%3C%2Fsaml%3ANameIdentifier%3E%3C%2Fsaml%3ASubject%3E%3C%2Fsaml%3AAuthenticationStatement%3E%3Csaml%3AAttributeStatement%3E%3Csaml%3ASubject%3E%3Csaml%3ANameIdentifier+Format%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fclaims%2FUPN%22%3E###deleted ;-)###%40Live.com%3C%2Fsaml%3ANameIdentifier%3E%3C%2Fsaml%3ASubject%3E%3Csaml%3AAttribute+AttributeName%3D%22Managed%22+AttributeNamespace%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fclaims%22%3E%3Csaml%3AAttributeValue%3EFALSE%3C%2Fsaml%3AAttributeValue%3E%3C%2Fsaml%3AAttribute%3E%3Csaml%3AAttribute+AttributeName%3D%22Child%22+AttributeNamespace%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fclaims%22%3E%3Csaml%3AAttributeValue%3EFALSE%3C%2Fsaml%3AAttributeValue%3E%3C%2Fsaml%3AAttribute%3E%3Csaml%3AAttribute+AttributeName%3D%22TOUAccepted%22+AttributeNamespace%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fclaims%22%3E%3Csaml%3AAttributeValue%3ETRUE%3C%2Fsaml%3AAttributeValue%3E%3C%2Fsaml%3AAttribute%3E%3Csaml%3AAttribute+AttributeName%3D%22CID%22+AttributeNamespace%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fclaims%22%3E%3Csaml%3AAttributeValue%3Ec96c25bee652da2c%3C%2Fsaml%3AAttributeValue%3E%3C%2Fsaml%3AAttribute%3E%3Csaml%3AAttribute+AttributeName%3D%22EmailAddress%22+AttributeNamespace%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fclaims%22%3E%3Csaml%3AAttributeValue%3Einfo%40myemailadr.de%3C%2Fsaml%3AAttributeValue%3E%3C%2Fsaml%3AAttribute%3E%3Csaml%3AAttribute+AttributeName%3D%22PUID%22+AttributeNamespace%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fclaims%22%3E%3Csaml%3AAttributeValue%3E###deleted ;-)###%3C%2Fsaml%3AAttributeValue%3E%3C%2Fsaml%3AAttribute%3E%3C%2Fsaml%3AAttributeStatement%3E%3CSignature+xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23%22%3E%3CSignedInfo%3E%3CCanonicalizationMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2F10%2Fxml-exc-c14n%23%22%3E%3C%2FCanonicalizationMethod%3E%3CSignatureMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1%22%3E%3C%2FSignatureMethod%3E%3CReference+URI%3D%22%23uuid-17148999-cee1-400d-bee7-c635229c82ff%22%3E%3CTransforms%3E%3CTransform+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23enveloped-signature%22%3E%3C%2FTransform%3E%3CTransform+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2F10%2Fxml-exc-c14n%23%22%3E%3C%2FTransform%3E%3C%2FTransforms%3E%3CDigestMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23sha1%22%3E%3C%2FDigestMethod%3E%3CDigestValue%3ERc7O3s%2BT3FvtqBmI74KYs1aaNyE%3D%3C%2FDigestValue%3E%3C%2FReference%3E%3C%2FSignedInfo%3E%3CSignatureValue%3###deleted ;-)###%3D%3C%2FSignatureValue%3E%3CKeyInfo%3E%3CX509Data%3E%3CX509SKI%3EH1D81qx0njcaeJ3fI6gkm6N%2FjpA%3D%3C%2FX509SKI%3E%3C%2FX509Data%3E%3CKeyName%3EWindow+Live+ID%3C%2FKeyName%3E%3C%2FKeyInfo%3E%3C%2FSignature%3E%3C%2Fsaml%3AAssertion%3E%3C%2Fwst%3ARequestedSecurityToken%3E%3Cwsp%3AAppliesTo+xmlns%3Awsp%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2004%2F09%2Fpolicy%22%3E%3Cwsa%3AEndpointReference+xmlns%3Awsa%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2004%2F08%2Faddressing%22%3E%3Cwsa%3AAddress%3Ehttp%3A%2F%2Fmsdn.microsoft.com%3C%2Fwsa%3AAddress%3E%3C%2Fwsa%3AEndpointReference%3E%3C%2Fwsp%3AAppliesTo%3E%3C%2Fwst%3ARequestSecurityTokenResponse%3E] von [https://login.live.com/login.srf?wa=wsignin1.0&wtrealm=visualstudiogallery.msdn.microsoft.com&wreply=https%3a%2F%2Fvisualstudiogallery.msdn.microsoft.com%2F74ecfb4f-6245-4942-a5b2-67aaacd49415%2Fstats%3fstoAI%3d10&wp=MBI_FED_SSL&wlcxt=microsoft%24microsoft%24microsoft] wurde bereinigt und in eine GET-Anfrage (nur Download) umgewandelt.
I have the same problem with
codeplex.com but here I couldn't find a RegEx.
Thanks,
Dany
Re: XSS + live.com + visualstudiogallery.msdn.microsoft.com
Posted: Fri Jul 27, 2012 7:55 pm
by Giorgio Maone
OK, I believe I know what the problem is.
In order to remove a potential E4X-based bypass, I tightened a bit the algorithm which simplifies and elides XML constructs before checking for JavaScript fragments.
Doing so, it seems I leave too much XML (especially arbitrary attributes) in place, which generates false positives for instance here where an XML payload is sent during the authentication process.
I've got to further fine-tune the XML reduction algorithm in order to fix this.
In the meanwhile a safer exception regexp should be the following:
Code: Select all
^@https://login\.live\.com/login\.srf\?wa=
Regarding codeplex, I'm afraid you'll have to post the whole messages for that as well.
Thank you!
Re: XSS + live.com + visualstudiogallery.msdn.microsoft.com
Posted: Fri Jul 27, 2012 9:25 pm
by DanyR
Thank you very much. We're one step further!
(just kidding, I think it is solved for me)
Now, after logging in with LiveID there is only a brief display of an empty site with a XSS warning and then it continues to the desired site witout fault.
The warning (when loading is stopped by ESC) in the "unsafe reload" is:
Code: Select all
UNSICHERES Nachladen eines verdächtigen
POST [https://visualstudiogallery.msdn.microsoft.com/74ecfb4f-6245-4942-a5b2-67aaacd49415/stats?stoAI=10&w
a=wsignin1.0]
von [https://login.live.com/ppsecure/post.srf?wa=wsignin1.0&wtrealm=visualstudiogallery.msdn.microsoft.co
m&wreply=https%3a%2f%2fvisualstudiogallery.msdn.microsoft.com%2f74ecfb4f-6245-4942-a5b2-67aaacd49415
%2fstats%3fstoAI%3d10&wp=MBI_FED_SSL&wlcxt=microsoft%24microsoft%24microsoft&bk=1343423509]
The console log displays the same entries however, but since it works I take it as purely informational.
As for codeplex: you fixed this as well with that RegEx due to the fact that login is also through LiveID.
P.S.: BTW, what exactly does that @ at the beginning of the RegEx do?
Thank you so much!
Cheers,
Dany
Re: XSS + live.com + visualstudiogallery.msdn.microsoft.com
Posted: Fri Jul 27, 2012 9:53 pm
by Giorgio Maone
DanyR wrote:
P.S.: BTW, what exactly does that @ at the beginning of the RegEx do?
It tells the InjectionChecker to match it against the origin, rather than the destination as "normal" exceptions.
Re: XSS + live.com + visualstudiogallery.msdn.microsoft.com
Posted: Sat Jul 28, 2012 9:41 am
by Giorgio Maone
Should be fixed in
latest development build 2.5rc3, thank you.
Re: XSS + live.com + visualstudiogallery.msdn.microsoft.com
Posted: Sat Jul 28, 2012 3:03 pm
by DanyR
Super, works like a charm!
Thank you again,
Dany