Full Disclosure mailing list archives
Fwd: NoScript (2.0.5.1 < less ) - Bypass "Reflective XSS" through Union SQL Poisoning Trick (SQLXSSI)
From: dave b <db.pub.mail () gmail com>
Date: Wed, 1 Dec 2010 02:41:12 +1100
Bugtraq rejected my email so I am sending it to full disclosure instead... ---------- Forwarded message ---------- From: dave b <db.pub.mail () gmail com> Date: 29 November 2010 22:54 Subject: NoScript (2.0.5.1 < less ) - Bypass "Reflective XSS" through Union SQL Poisoning Trick (SQLXSSI) To: bugtraq () securityfocus com Ok... How about this: This works against the latest noscript. ---------- ME: It is exactly this ---> http://www.virginblue.com.au/Search/index.htm?search=\"" style= position%3Aabsolute;top:0;left:0;z-index:1000;width:3000px;height%3A3000px onMouseMove=alert(1) bgcolor=black" I just reproduced it on a vanilla firefox with the latest noscript installed. (noscript blocking the domain -> enable moving the mouse while reloading -> xssed and it warns me about blocking a potential xss) This is not an unrealistic thing to do (well the ordering of events is probably going to be a bit unrealistic or could be), because some sites need javascript to be enabled. ---------- Giorgio: OK, now I can see what you mean. This is due to the page taking too long to reload after the domain has been enabled: since NoScript checks for XSS only when the target page is JavaScript-enabled, the page you're moving the mouse upon is not sanitized yet (it will be after it reloads), the code is triggered. This is not technically a bypass of the filter (the filter is working correctly), but I recognize this, albeit an edge case, deserves to be addressed. I'm gonna disable event processing for just-enabled pages as long as they don't get fully reload. Thanks and best, -- G _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Fwd: NoScript (2.0.5.1 < less ) - Bypass "Reflective XSS" through Union SQL Poisoning Trick (SQLXSSI) dave b (Nov 30)