Opened 6 weeks ago

Last modified 5 weeks ago

#31680 new defect

XSS warning pops up in case of timeout

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: noscript
Cc: ma1 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I see increasingly XSS warning popups showing up because of timeouts which is highly confusing. Clearly, timeouts are not really an indication of an XSS issue. An example for how this looks like is:

NoScript detected a potential Cross-Site Scripting attack

from https://www.zeit.de to https://dx6ctphzljkf1.cloudfront.net.

Suspicious data:

Error: Exceeded 20000ms timeout,(URL) https://dx6ctphzljkf1.cloudfront.net/iqdcdnkj/0a3b52795fef0905/index.html?clicktag=http://adclick.g.doubleclick.net/pcs/click%3Fxai%3DAKAOjsuHXc6Zwesb8f8FaSD7QQTqsyHbRHJNWVu3QNltNDaJ94NGlNH6WfODjTA6sloDprbdd1rxSjqWKdGOSolznaWuiKCcayJ4DmNlCF5OkavZ_eGS0Xkfao5UQJ-JwqhV_gAR_7tfsnUfu60yvzJ0iU4Z1D6Zkb6sjCl0_HQA22VBLWn-QSPhAgfMV614r-HBeMGma_lSkoiCPSy0kyKnCRL5tUnv1UmFqhpDBN4tMevUa2rZkJz6uo8knPiePTPGjelmuicueasP3g%26sai%3DAMfl-YR4Mk3FY_qymLNh3MZw4TEqprFJmYFBo9_kQIEByETK8t21mR91HHtY12pZU52d0EITutWjovVnNx6CvX-biT_ug2TurDhIiyL2djhlow%26sig%3DCg0ArKJSzIDezji-X-DkEAE%26urlfix%3D1%26adurl%3Dhttp://marktplatz.zeit.de/urlaubsziele/themen/lesenswertes/&

or

NoScript detected a potential Cross-Site Scripting attack

from https://www.zeit.de to https://s3.eu-central-1.amazonaws.com.

Suspicious data:

Error: Exceeded 20000ms timeout,(URL) https://s3.eu-central-1.amazonaws.com/iqdcdnea/10e4b7649324fb09/index.html?clicktag=https://adclick.g.doubleclick.net/pcs/click%3Fxai%3DAKAOjssAkvqdVAj8OVky5YyBIxfFhdSKOwG3PBSs1sGLVOkrTAbbR2gQhodz_fXydReP-sWxzXELTfAuQkQKvcolwGDPsya5J4nL-viX8VzJakyNC5yyVB4zTY8PRSHU_uCuiDOkZfyU6r6ldJAmjPb3o9AJI1JjbB2B6BwWdGEXimu89rpjgP9_7QWQve3pDYoPSYGZtAGvE2nIak17XVJyFo6fpatdx-JftpL6BZ3We12XcmWv8xi1WzanqCJH7xQaQImIkf2k5dsgSg%26sai%3DAMfl-YQQpqd7WwCqfy7nh3BpC3v5iOX8vRNIaR7zenwjOphvOa6S79W9pR_h16Vw99tViBvXlyo0AyCzyKJf9xzvxc43C-iGZHR6IQYihbL1eQ%26sig%3DCg0ArKJSzKFyrN2JPsBaEAE%26urlfix%3D1%26adurl%3Dhttps://jobs.zeit.de/campus/berufstest%3Fwt_zmc%3Ddis.int.zonpmr.hausbanner.boa-default.bot.wp.quan.x%26utm_medium%3Ddis%26utm_source%3Dhausbanner_zonpmr_int%26utm_campaign%3Dboa-default%26utm_content%3Dbot_wp_quan_x&iqdurl=https://www.zeit.de&iqdcid=138255462209&

That does not involve doing anything special just reading news with an 9.0a6-ish Tor Browser.

Child Tickets

Change History (1)

comment:1 Changed 5 weeks ago by gk

Keywords: noscript added
Note: See TracTickets for help on using tickets.