0X can bypass noscript xss protection:-
http://demo.phpids.org/?test=0X%20%26%20alert(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

it could (for very simple and likely innocuous vectors), but it cannot anymore ;)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

@ma1

Wow super fast fix! :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Ah! hacking noscript?

thats easy..
http://trustedsite.com/?xss-inside-script-tag='%2Balert(document.cookie)+//a:1

for example.. (eBay has a XSS issue very similar to the one I'm describing (well, actually, a lot of sites, but eBay rocks))

<script>
var x='<?php echo $_GET['xss']?>';
</script>

But duuuude!! what's happening?

Well, NoScript thinks, that.. "+" is a plus.. but in reality.. "+" is a space, and so..

var x=''+alert(document.cookie) //a:';

is valid js code! (damn, I'm good, 10 minutes to hack NoScript :D)

Greetz!!

PS. It's a joke, noscript is great :P, and even do I did spent 10 minutes to find the issue, it was because I had this idea for attacking noscript since a couple of months ago, but I didnt tested it till today.


but WAIT!!
thats all?

The hell it isn't!! (anyway, this last attack is not so dangerous, since it requires user interaction [enabling javascript on an untrusted domain])

Let's take a look at NoScript's default anti-xss rules:
^http://([a-z]+)\.google\.(?:[a-z]{1,3}\.)?[a-z]+/(?:search|custom|\1)\?

That means, well.. that:
http://images.google.com/search?asdfasdf=%3Cscript%3E&q=Asdf

Will bypass NoScript (because we all trust google =D), but.. wait.. that's for google domains exclusively right?

Well, wrong!! because, well.. 20 bux, we can get a 3 letter domain http://www.3character.com/recentsales.html

And so do:

http://www.google.xss.com/customcustom%3Fasdf%2F..%2F?some-host-not-checking-for-Host-headers=%3Cscript%3E

Pointing google.xss.com to your router or something.

There's an issue with this last attack.. NoScript does his job, and automatically denies google.xss.com.. anyway, enabling javascript in such domain (social engineering) would allow the attacker to send evil XSS attacks to your router/intranet what-ever.

Anyway, hacking noscript is fun :D

And in any case someone wondered..

http://search.ebay.com/search/search.dll?_trksid=&satitle=ME+XSS+U&category0=&from=%27%2Balert(document.cookie)%2B%27

And yeah, that's not triggering noscript alarms :D

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 06/16/2008 04:12AM by sirdarckcat.

@sdc:
nice findings, thanks.
Fixes for both on their way :)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

@sdc:

On a side note, your latest search.ebay.com PoC DOES actually trigger NoScript's anti-XSS protection.
But I guess I understand what you're hinting at, and it's scary and brainless (from Ebay) ;)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

FIXED

Now that it's fixed, I'll explain my innuendo to Ebay's "scary and brainless" issue, which reminds me closely last month's Base64 Yahoo one.

Your PoC was

hxxp://search.ebay.com/search/search.dll?_trksid=&satitle=ME+XSS+U&category0=&from=%27%2Balert(document.cookie)%2B%27

and it did not bypass NoScript. I guess you meant to write it in the "mixed plus" form, but this is not.

But here's the truly scary one:

http://search.ebay.com/ME-XSS-U_W0QQfromZQ27Q2balertQ28documentQ2ecookieQ29Q2bQ27

As you can see, ebay uses its own custom "Q-encoding", allowing XSS payloads virtually undetectable to any filter, except NoScript >= 1.6.9.2 ;)

IMPORTANT REQUEST (rules change)
Since as far as I can see NoScript now is actively used by more than 1.5 million users, it would be kind of you if new issues were responsibly disclosed to me before posting them there.
I guarantee to handle them the very same day I read your report and to publish a development build with proper credits, but since one week is probably the minimum user-bearable window for automatic updates on stable releases, a 7 days grace period would be nice as a compromise to avoid an excessively tight update schedule for stable version users.

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Not to forget PHPIDS 0.5 .936 ;)

Principally totally senseless but who knows who else uses this kind of encoding...

@ma1:
wait, you told me to report it here :S

Anyway:

Quote

@sdc:

On a side note, your latest search.ebay.com PoC DOES actually trigger NoScript's anti-XSS protection.
But I guess I understand what you're hinting at, and it's scary and brainless (from Ebay) ;)

Ah that's true :P, I copypasted the wrong link hehe.

Adding the QEncoding to the IDSs is like fixing bugs for eBay, instead of them.. anyway :P

I'll mail-report any other issues.

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat