Cross Site Scripting issue with window.location.search

2018-07-03 19:30:11

I have been going through so many forums & wikipedia's since few days for trying to understand about XSS attacks alomost I have spent 2-3 days but still not get better idea as suggesting multiple solutions by experts & I want know how the hackers can inject malicious code on victims browser ? and my application have been use to run on some App Scanner standard testing tool so its caught so many XSS issues. I want put here one of XSS issue of my application so can please some one help me out to understand the what exactly I have to do for this issue. Still I have been trying a lot to get better understand about XSS issues. This is my code snippet

function getParameter(param) {
        var val = "";
        var qs = window.location.search;
        var start = qs.indexOf(param);
        if (start != -1) {
                start += param.length + 1;
                var end = qs.indexOf("&", start);
                if (end == -1) {
                        end = qs.length
                }
                val = qs.substring(start,end);
        }
        return val;
}

var formName = getParameter("formName");
var myValue = '<a href="javascript:parent.opener.assignDateIps( new Date(''+year+'',''+month+'',''+thisDay+''), ''+contextstr+'', ''+formName+'' );window.close()" class="modulelink">'+thisDay+'</a></td>';
document.getElementById('calendarA').innerHTML = myValue;

var myValue = '<a href="javascript:parent.opener.assignDateIps( new Date(''+year+'',''+month+'',''+thisDay+''), ''+contextstr+'', ''+formName+'' );window.close()" class="modulelink">'+thisDay+'</a></td>';

This line doesn't have any escaping, it expects '(... ''+formName+'' );...' to be a string. But it can become some other thing:

formName = "'); alert('I'm free to do anything here'); (''+"

document.getElementById('calendarA').innerHTML = myValue;

Let's place such fragment into myValue :

... <img src=void onerror="alert('hacked')" /> ...

You can check it works:

document.querySelector('button').addEventListener('click', function () {
  document.querySelector('output').innerHTML = document.querySelector('textarea').value;
})

<textarea>... <img src=void onerror="alert('hacked')" /> ...</textarea>
<button>Go</button>
<output></output>

Nothing in the code you've shown us is vulnerable.

You are reading user input, so there is the potential to introduce a vulnerability there. That is probably what the tool you are using is detecting.

If your code is vulnerable, then it will be because of whatever you do with the value of formName next (in the code you haven't shown us).

This is a possible DOM based XSS issue.

If you are using the value of formName like document.getElementById("demo").innerHTML=formName or somehow your DOM elements are being created/modified using the formName you are vulnerable, as i can create a custom url like http://urwebsite.html?formName=<script>document.cookie_will_be_transfered_to_my_server_here</script> and ask a logged in person to click it(simple social engineering) .Now i have that person's session id, using which i can do what ever i want.

As a resolution, all the input data from the user has to be html encoded.

链接地址: http://www.djcxy.com/p/94190.html

上一篇: 参考WPF的.NET Core 1.0库

下一篇: 使用window.location.search跨站点脚本问题