InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

NoScript message disappears from screen

https://forums.informaction.com/viewtopic.php?t=9559

Page 1 of 1

NoScript message disappears from screen

Posted: Thu Aug 30, 2012 1:53 pm
by ptoye
On navigating to a page NS tells me that scripts are blocked. I allow them and (it's a booking site) it resends the information. So far so good. Then a message (I think it's something to do with XSS) appears at the top of the window and almost immediately disappears. The browser pane dims, a white panel appears on top of the image, and everything stops. The cursor is an arrow in the white panel (but there's nothing to click on), and an hourglass in the rest of the browser pane.

Presumably I need to enable something in my XSS options, but without information from NS I can't tell what. Where do I go from here?

The browser's Firefox 14.0.1. OS is Windows 7.

Re: NoScript message disappears from screen

Posted: Thu Aug 30, 2012 2:56 pm
by therube
URL?

You can check Error Console (Ctrl+Shift+J) to see if anything is logged there.

Re: NoScript message disappears from screen

Posted: Thu Aug 30, 2012 3:13 pm
by ptoye
As it's a booking form, the URL will have a lot of info or maybe planted cookies so it may not help. But here it is: http://www.condorbooking.co.uk/ExtResNe ... p=EN_S2_QQ

I'm not a malware expert, just a user. Anyway, I did the booking by old-fashioned telephone so the urgency has gone away.

Thanks for the idea about the error log. There's a lot of parsing errors, but 2 which might be significant:

Code: Select all

[NoScript InjectionChecker] HTML injection:
<meta 
matches <[^\w<>]*(?:[^<>"'\s]*:)?[^\w<>]*(?:\W*s\W*c\W*r\W*i\W*p\W*t|\W*f\W*o\W*r\W*m|\W*s\W*t\W*y\W*l\W*e|\W*s\W*v\W*g|\W*m\W*a\W*r\W*q\W*u\W*e\W*e|(?:\W*l\W*i\W*n\W*k|\W*o\W*b\W*j\W*e\W*c\W*t|\W*e\W*m\W*b\W*e\W*d|\W*a\W*p\W*p\W*l\W*e\W*t|\W*p\W*a\W*r\W*a\W*m|\W*i?\W*f\W*r\W*a\W*m\W*e|\W*b\W*a\W*s\W*e|\W*b\W*o\W*d\W*y|\W*m\W*e\W*t\W*a|\W*i\W*m\W*a?\W*g\W*e?|\W*v\W*i\W*d\W*e\W*o|\W*a\W*u\W*d\W*i\W*o|\W*b\W*i\W*n\W*d\W*i\W*n\W*g\W*s|\W*s\W*e\W*t|\W*a\W*n\W*i\W*m\W*a\W*t\W*e)[^>\w])|(?:<\w[\s\S]*[\s\/]|['"](?:[\s\S]*[\s\/])?)(?:formaction|style|background|src|lowsrc|ping|on(?:e(?:rror(?:update)?|nd)|c(?:o(?:nt(?:extmenu|rolselect)|py)|ut|lick|(?:ellc)?hange)|m(?:o(?:ve(?:end|start)?|use(?:o(?:ut|ver)|up|(?:mo|lea)ve|down|wheel|enter))|essage)|lo(?:ad|secapture)|d(?:r(?:ag(?:en(?:d|ter)|drop|over|leave|start)?|op)|ata(?:setc(?:hanged|omplete)|available)|blclick|eactivate)|s(?:t(?:op|art)|elect(?:start)?|croll|ubmit)|b(?:e(?:for(?:e(?:c(?:ut|opy)|p(?:aste|rint)|u(?:pdate|nload)|activate|editfocus)|deactivate)|gin)|lur|ounce)|p(?:ast|ropertychang)e|key(?:up|down|press)|f(?:o(?:cus(?:in|out)?|rm(?:input|change))|i(?:nish|lterchange))|in(?:put|valid)|a(?:fter(?:print|update)|bort|ctivate)|r(?:e(?:s(?:et|ize)|peat|adystatechange)|ow(?:e(?:xit|nter)|s(?:delete|inserted)))|zoom|help|unload))[\s\x08]*=

and:

[NoScript XSS] Sanitized suspicious upload to [http://www.condorbooking.co.uk/ExtResNew/GotoSearch.asp?__utma=1.1428100174.1346321404.1346333655.1346339004.4&__utmb=1.1.10.1346339004&__utmc=1&__utmx=-&__utmz=1.1346321404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)&__utmv=-&__utmk=83783702###DATA###%2FwEPDwUKMTAwMjEwODE5Nw9kFgJmD2QWBAIBD2QWAgIBD2QWBgIBDxYEHgRUZXh0BWU8dGl0bGU%2BRmVycmllcyB0byBGcmFuY2UsIFN0LiBNYWxvLCBCcml0dGFueSwgSmVyc2V5LCBHdWVybnNleSBhbmQgdGhlIFVLIHdpdGggQ29uZG9yIEZlcnJpZXM8L3RpdGxlPh4HVmlzaWJsZWdkAgIPFgQfAAXnATxtZXRhIG5hbWU9ImtleXdvcmRzIiBjb250ZW50PSJmZXJyaWVzIHRvIEZyYW5jZSwgZmVycmllcyB0byBCcml0dGFueSwgZmVycnkgc2VydmljZXMsIGNhciBmZXJyeSwgZmFzdCBmZXJyeSwgU3QuIE1hbG8sIFBvb2xlLCBXZXltb3V0aCwgUG9ydHNtb3V0aCwgZG92ZXIgZmVycnksIGJyaXRhbnkgZmVycmllcywgZmVycnkgU3QuIE1hbG8sIGhhbGYgdGVybSBicmVha3MsIHdlZWtlbmQgYnJlYWtzIiAvPh8BZ2QCAw8WBB8ABfIBPG1ldGEgbmFtZT0iZGVzY3JpcHRpb24iIGNvbnRlbnQ9IkZlcnJpZXMgdG8gRnJhbmNlLCBCcml0dGFueSwgYW5kIG90aGVyIGZlcnJ5IHNlcnZpY2UgZGVzdGluYXRpb25zIGluY2x1ZGluZyBTdC4gTWFsbywgSmVyc2V5LCBHdWVybnNleSwgUG9vbGUsIFBvcnRzbW91dGggYW5kIFdleW1vdXRoLiBTYXZlIG1vcmUgdGhhbiBtaWxlcyB0byBnZXQgdG8geW91ciBkZXN0aW5hdGlvbiB3aXRoIENvbmRvciBGZXJyaWVzLiIgLz4fAWdkAgMPZBYGAgMPZBYGAgEPFgIeBWNsYXNzBQZhY3RpdmVkAg0PFgIfAgUOYm9va05vd1RhYkhvbWVkAg8PFgIeBXN0eWxlBRtsZWZ0OiA3MzVweDsgZGlzcGxheTpibG9jaztkAgUPZBYCAgEPDxYEHhFEZXN0aW5hdGlvblJlZ2lvbmUeDE9yaWdpblJlZ2lvbmVkFgICBA9kFgJmD2QWDAIDDw8WAh8ABRE8QlI%2BUExPQUQ6IG89LCBkPWRkAgUPZBYIAgEPZBYCZg8PFgQeCENzc0NsYXNzBRFkZXN0aW5hdGlvbkJ1dHRvbh4EXyFTQgICZGQCAw9kFgJmDw8WBB8GBRFkZXN0aW5hdGlvbkJ1dHRvbh8HAgJkZAIFD2QWAmYPDxYEHwYFEWRlc3RpbmF0aW9uQnV0dG9uHwcCAmRkAgcPZBYCZg8PFgQfBgURZGVzdGluYXRpb25CdXR0b24fBwICZGQCBw8WAh8CBRZhY2NUaXRsZSBndWVybnNleVRpdGxlFgJmDw8WBB8GBQxvcmlnaW5CdXR0b24fBwICZGQCCQ8WAh8CBRBhY2NUaXRsZSB1a1RpdGxlFgJmDw8WBB8GBQxvcmlnaW5CdXR0b24fBwICZGQCCw8WAh8CBRRhY2NUaXRsZSBqZXJzZXlUaXRsZRYCZg8PFgQfBgUMb3JpZ2luQnV0dG9uHwcCAmRkAg0PFgIeC18hSXRlbUNvdW50AgMWBgIBD2QWAmYPFQcIZ3Vlcm5zZXkGamVyc2V5EGplcnNleS1kYXktdHJpcC0QSmVyc2V5IERheSBUcmlwIAlGcm9tIG9ubHkCMzAeRmFzdCBmZXJyeSBkYXkgdHJpcHMgaW4gSmVyc2V5ZAICD2QWAmYPFQcGamVyc2V5CGd1ZXJuc2V5EWZlcnJ5LXNwYS1wYWNrYWdlEUZlcnJ5IFNwYSBQYWNrYWdlB0F0IEp1c3QCNzAuRGF5IFRyaXAgdG8gR3Vlcm5zZXkgd2l0aCBIYWxmIERheSBTcGEgUGFja2FnZWQCAw9kFgJmDxUHCGd1ZXJuc2V5BnN0bWFsbxRzdXBlcmJyZWFrLWV4dGVuc2lvbhRTdXBlckJyZWFrIGV4dGVuc2lvbglGcm9tIEp1c3QCNzUnMyBuaWdodCBicmVha3MgZnJvbSBHdWVybnNleSB0byBTdCBNYWxvZAIHD2QWBAIBDxYCHwFnZAIDDxYCHwFnZGQFpRnh%2BX5X9G1lWUH2ilyNSTFzHGTdTXlQXeaaL0PM5w%3D%3D] from [http://www.condorferries.co.uk/default.aspx]: transformed into a download-only GET request.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited