'[Full-disclosure] Fwd: NoScript (2.0.5.1 < less ) - Bypass'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] Fwd: NoScript (2.0.5.1 < less ) - Bypass
From:       dave b <db.pub.mail () gmail ! com>
Date:       2010-11-30 15:41:12
Message-ID: AANLkTi=RY=Z=7FoPpK6wgFn-LOWFcNA9Cmv8sVsXMmUG () mail ! gmail ! com
[Download RAW message or body]

Bugtraq rejected my email so I am sending it to full disclosure instead...


---------- Forwarded message ----------
From: dave b <db.pub.mail@gmail.com>
Date: 29 November 2010 22:54
Subject: NoScript (2.0.5.1 < less ) - Bypass "Reflective XSS" through
Union SQL Poisoning Trick (SQLXSSI)
To: bugtraq@securityfocus.com


Ok...

How about this:

This works against the latest noscript.
----------
ME:

It is exactly this --->


http://www.virginblue.com.au/Search/index.htm?search=\"" style=
position%3Aabsolute;top:0;left:0;z-index:1000;width:3000px;height%3A3000px
onMouseMove=alert(1) bgcolor=black"

I just reproduced it on a vanilla firefox with the latest noscript installed.
(noscript blocking the domain -> enable moving the mouse while
reloading -> xssed and it warns me about blocking a potential xss)

This is not an unrealistic thing to do (well the ordering   of events
is probably going to be a bit unrealistic or could be), because some
sites need javascript to be enabled.


----------
Giorgio:
OK, now I can see what you mean.
This is due to the page taking too long to reload after the domain has
been enabled: since NoScript checks for XSS only when the target page
is JavaScript-enabled, the page you're moving the mouse upon is not
sanitized yet (it will be after it reloads), the code is triggered.

This is not technically a bypass of the filter (the filter is working
correctly), but I recognize this, albeit an edge case, deserves to be
addressed.
I'm gonna disable event processing for just-enabled pages as long as
they don't get fully reload.

Thanks and best,
-- G

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic