This anime & manga hosting site gives Noscript XSS alerts

system · 2015-11-21T00:31:34.000Z

I decided to try out the website crunchyroll.com, which to my understanding is legal and an offical website used to stream anime and manga. But whenever I try to go watch a video on the site, Noscript gives me notification of possible XSS attack being blocked. The videos themselfs seem to work fine regardless. I’ve checked Noscript console for details and these notifications are marked in red:

Salasanakenttiä suojaamattomalla (http://) sivulla. Tämä on turvallisuusriski, jonka avulla käyttäjän kirjautumistiedot voidaan varastaa.[Learn More] <unknown>
Ladataan osittain suojaamatonta näytettävää sisältöä "http://fotkica.com/thumbs2/109451_tmb_343479479_2013-07-15_205112.jpg" suojatulla sivulla[Learn More] index.php
Ladataan osittain suojaamatonta näytettävää sisältöä "http://www.mycity.rs/thumbs2/109451_tmb_343479479_2013-07-15_205112.jpg" suojatulla sivulla[Learn More] index.php
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://gg.google.com/csi?v=2&s=youtube&action=results&yt_sts=ne&yt_nav=10&yt_lt=warm&yt_pft=0&yt_hrd=33&yt_li=1&yt_err=0&yt_ref=results&yt_spf=1&ei=q6tPVtKdEMieYJeWupAL&e=9407188,9408539,9408710,9416126,9416903,9417683,9417753,9419446,9419548,9420238,9420452,9422596,9422618,9423510,9423662,9424134,9424210,9424371,9424480,9424508&srt=306&pa=results&p=h2&t=tcp&ba=1&rt=nc0.62,resultspredclk.103,np0.122,nc1.490,je.596,jl.597,np1.598,nd.598,ol.598,cpt.616,tdl.712,vc.2119987,aft.616,ps.2121215&it=st.478,preq.306,req_.253,rcv_.487. (Reason: CORS header 'Access-Control-Allow-Origin' does not match '*'). <unknown>
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://gg.google.com/csi?v=2&s=youtube&action=gli&yt_sts=ne&yt_nav=11&yt_lt=warm&yt_pft=0&yt_hrd=33&yt_ref=results&yt_spf=1&ei=9LNPVtKMK9OldIG3nkg&yt_li=1&yt_err=0&e=9407188,9408539,9408710,9416126,9416903,9417683,9417753,9419446,9419548,9420238,9420452,9422596,9422618,9423510,9423662,9424134,9424210,9424371,9424480,9424508&srt=1817&pa=results&p=h2&t=tcp&ba=1&rt=je.851,jl.853,nd.854,ol.854,cpt.1031,aft.1031,ps.1115&it=st.1607,preq.1815. (Reason: CORS header 'Access-Control-Allow-Origin' does not match '*'). <unknown>
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://gg.google.com/csi?v=2&s=youtube&action=watch,watch7_html5&yt_sts=ne&docid=CnJUG-O7E_w&ei=BLRPVsepK4uTdPKHkhA&cpn=zOfGtP5b9rCEyEZp&fmt=136&cmt=0.008&yt_vis=1&yt_pt=html5&yt_nav=12&yt_lt=warm&yt_pft=0&yt_hrd=33&yt_spf=1&yt_ref=&yt_pl=0&yt_ad=0&e=9407188,9408539,9408710,9416126,9416903,9417683,9417753,9419446,9419548,9420238,9420452,9422596,9422618,9423510,9423662,9424134,9424210,9424371,9424480,9424508&yt_li=1&yt_err=0&srt=190&pa=gli&p=h2&t=tcp&ba=1&rt=nc0.4,nc1.5,np0.63,nc2.327,cfg.327,vta.382,nc3.389,gv.365,fvb.428,plev.736,vfp.825,msa.457,ada.471,vda.695,vri.331,vdns.331,vreq.331,vrc.661,ari.327,adns.327,areq.328,avb.375,arc.421,pbs.827,np1.896,np2.898,je.997,jl.998,np3.999,nd.999,ol.999,cpt.1073,aft.827,ps.1096&it=st.257,preq.184. (Reason: CORS header 'Access-Control-Allow-Origin' does not match '*'). <unknown>
Sivusto käyttää SHA-1 -varmennetta. On suositeltua käyttää varmenteita, joiden allekirjoitusalgoritmit käyttävät SHA-1:ä vahvempia tiivistefunktioita.[Learn More] developer.cdn.mozilla.net
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://gg.google.com/csi?v=2&s=youtube&action=watch,watch7ad_html5&yt_sts=ne&yt_nav=13&yt_lt=warm&yt_pft=0&docid=aXkT8YsxhzE&ei=77VPVt7TOKXCdpTGkuAN&cpn=NZcTI0nVImfDx7iM&fmt=136&cmt=0.012&ad_allowed=1_1,1_3,2_1,2_3&yt_vis=0&yt_pt=html5&yt_hrd=33&yt_ref=watch&yt_ad_an=afv,dclk&yt_ad_pr=0&yt_ad=1&yt_spf=1&e=9407188,9408539,9408710,9416126,9416903,9417683,9417753,9419446,9419548,9420238,9420452,9422596,9422618,9423510,9423662,9424134,9424210,9424371,9424480,9424508&yt_err=0&yt_li=1&yt_pl=0&srt=735&pa=watch,watch7_html5&p=h2&t=tcp&ba=1&rt=nc0.4,nc1.5,np0.92,np1.97,nc2.199,cfg.199,vta.307,gv.238,nc3.415,fvb.367,np2.1444,je.1550,jl.1552,np3.1553,nd.1553,ol.1553,plev.1588,cpt.1591,tdl.1782,vc.2212,vfp.2435,msa.368,ada.578,vda.620,vri.203,vdns.203,vreq.288,vrc.586,ari.198,adns.312,areq.344,avb.438,arc.538,pbs.2433,aft.2433,ps.2446&it=st.395,preq.725. (Reason: CORS header 'Access-Control-Allow-Origin' does not match '*'). <unknown>

Sorry about some parts being in finnish, but two second highest entries tell me about loading “partially unprotected displayable content” google translator.

No third-party website scan issues it seems, probably false positives?

https://sitecheck.sucuri.net/results/crunchyroll.com

polonus · 2015-11-21T13:03:48.000Z

I PM-ed you, the only site blocked by uMatrix (in a similar fashion NoScript would do) is for an external connection to uMatrix has prevented the following page from loading: -http://b.rmgserving.com/
landing at automatically served Adsense code: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fb.rmgserving.com%2Frmgdsc%2Fnewcafv2.js → - -http://ventasdiversas.com/oc-content/themes/AdsenseOptimized/custom-css/js/jquery.cookie.js with “alledged” Outdated software - HTTP Server: Apache HTTP Server mod_fcgid Version: 2.3.7 (Outdated) PHP Version: 5.6.7 a cookie plug-in for “empty” IE-cookies.

pol

polonus · 2015-11-21T13:20:53.000Z

Results from where we landed and scanning URL: -http://www.google.com/coop/cse/brand?form=cse-search-box&lang=es
Number of sources found: 284
Number of sinks found: 14
/*! jQuery UI - v1.10.2 - 2013-03-19 * -http://jqueryui.com

Developers should be aware what they are not opening up to XSS vulnerabilities with tooltip, read:
http://bugs.jqueryui.com/ticket/9019#comment:2 (so one should be certain and have checked HTML content in the attribute!), when then every time you call .tooltip, HTML content will be returned.
info credits go to StackOverflow’s Andrew Whitaker.

polonus (volunteer security analyst and website error-hunter)

Announcements