XSS False Positive

  • Resolved helpmelearnwp

    (@helpmelearnwp)


    2 years, 1 month ago

    As of yesterday, I’ve noticed a number of entries with “blocked by firewall for XSS: Cross Site Scripting in query string”. I’ve asked my co-worker to browse the pages on the site. No input was made. It was listed under the same warning.

    I’ve tested it myself, and the same result was obtained. Browse only, no clicks, nor inputs. This is the error.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @helpmelearnwp,

    The error you’re seeing looks like an attempted redirect to error_204 caused by an embedded YouTube player sending an error report to Google servers. It uses the relative URI /error_204 but it’s resolving relative to your domain name rather than YouTube’s.

    This could be caused by video embed code from a site builder or theme having a syntax error. If you’re unable to find the source, you could click “ADD PARAM TO FIREWALL ALLOWLIST” as it’s effectively a false-positive based on the query string data that it’s trying to send back rather than a malicious attack. If you are able to find the source, you may need to speak with the plugin/theme developer to see if they can fix the video embed code.

    Thanks,

    Peter.

    Thread Starter helpmelearnwp

    (@helpmelearnwp)

    Good day, Peter

    Thank you for your time, insight & guidance. Much appreciated! I’ve heeded your advice to add the parameter into its Firewall’s allowlist. Will monitor from here on.

    Thread Starter helpmelearnwp

    (@helpmelearnwp)

    Unfortunately, the error still shows up even though I’ve added it to the allowlist.

    The error differs slightly:
    “x left https://alittlething.co/product/a-little-cheese/ and was blocked by firewall for XSS: Cross Site Scripting in POST body: stack=Error%3A%20Failed%20to%20execute%20’postMessage’%20on%20’Window’%3A%20Invalid%20target%20origin%20’d… at https://alittlething.co/error_204?a=logerror&t=jserror&type=SyntaxError&msg=Failed+to+execute+%27postMess…”

    Plugin Support wfpeter

    (@wfpeter)

    Hi @helpmelearnwp,

    It does seem like that loading can be temperamental on that page so perhaps your site in general. The first time, it loaded successfully, but with subsequent refreshes to try and see if I could get myself blocked. I was experiencing various different errors with scripts failing to load or CSS styling not applied because there was something wrong but was also getting successful page loads during this testing, too.

    I would spend some time in Learning Mode and navigating your site as both an admin and a non-logged in user for a while. The XSS block you’re showing me does seem related to the YouTube error I mentioned before – where the player is trying to send diagnostic information back in the query string.

    From the Wordfence Dashboard click on Manage WAF. Then you will see Basic Firewall Options > Web Application Firewall Status. Change the option to Learning Mode. Now perform the actions and visit the pages that were causing issues. This will help Wordfence learn that these actions are normal and it will allow them in the future. After you have finished performing the actions, switch the WAF from Learning Mode back to Enabled and Protecting. Now test to see if these actions work correctly.

    Thanks again,

    Peter.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘XSS False Positive’ is closed to new replies.