| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 1 Dec 2010 02:41:12 +1100 From: dave b <db.pub.mail@...il.com> To: full-disclosure <full-disclosure@...ts.grok.org.uk> Subject: Fwd: NoScript (2.0.5.1 < less ) - Bypass "Reflective XSS" through Union SQL Poisoning Trick (SQLXSSI) Bugtraq rejected my email so I am sending it to full disclosure instead... ---------- Forwarded message ---------- From: dave b <db.pub.mail@...il.com> Date: 29 November 2010 22:54 Subject: NoScript (2.0.5.1 < less ) - Bypass "Reflective XSS" through Union SQL Poisoning Trick (SQLXSSI) To: bugtraq@...urityfocus.com Ok... How about this: This works against the latest noscript. ---------- ME: It is exactly this ---> http://www.virginblue.com.au/Search/index.htm?search=\"" style= position%3Aabsolute;top:0;left:0;z-index:1000;width:3000px;height%3A3000px onMouseMove=alert(1) bgcolor=black" I just reproduced it on a vanilla firefox with the latest noscript installed. (noscript blocking the domain -> enable moving the mouse while reloading -> xssed and it warns me about blocking a potential xss) This is not an unrealistic thing to do (well the ordering of events is probably going to be a bit unrealistic or could be), because some sites need javascript to be enabled. ---------- Giorgio: OK, now I can see what you mean. This is due to the page taking too long to reload after the domain has been enabled: since NoScript checks for XSS only when the target page is JavaScript-enabled, the page you're moving the mouse upon is not sanitized yet (it will be after it reloads), the code is triggered. This is not technically a bypass of the filter (the filter is working correctly), but I recognize this, albeit an edge case, deserves to be addressed. I'm gonna disable event processing for just-enabled pages as long as they don't get fully reload. Thanks and best, -- G _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists