Problem with Scripting site using window.location.search

I go through so many forums and wikipedia, since I spent 2-3 days trying to figure out XSS assemblers, but still donโ€™t understand how to propose several solutions by experts, and I want to know how hackers can introduce malicious code to the victims browser? and my application was used to run on the standard app scanner app scanner, so it found so many XSS issues. I want to put here one of the XSS questions about my application, so someone may like it, help me understand what exactly I should do for this problem. However, I am trying a lot to better understand the problems of XSS. This is my piece of code.

function getParameter(param) { var val = ""; var qs = window.location.search; var start = qs.indexOf(param); if (start != -1) { start += param.length + 1; var end = qs.indexOf("&", start); if (end == -1) { end = qs.length } val = qs.substring(start,end); } return val; } var formName = getParameter("formName"); var myValue = '<a href="javascript:parent.opener.assignDateIps( new Date(\''+year+'\',\''+month+'\',\''+thisDay+'\'), \''+contextstr+'\', \''+formName+'\' );window.close()" class="modulelink">'+thisDay+'</a></td>'; document.getElementById('calendarA').innerHTML = myValue; 

And these statements

 var qs = window.location.search; val = qs.substring(start,end); var formName = getParameter("formName"); var myValue = '<a href="javascript:parent.opener.assignDateIps( new Date(\''+year+'\',\''+month+'\',\''+thisDay+'\'), \''+contextstr+'\', \''+formName+'\' );window.close()" class="modulelink">'+thisDay+'</a></td>'; document.getElementById('calendarA').innerHTML = myValue; 

using the application scanner testing tool as possible code for XSS (Cross Site Scripting), but I'm not sure how this is related to XSS and how I can fix this problem now. Can someone explain how this vulnerability can be fixed?

+6
source share
3 answers
 var myValue = '<a href="javascript:parent.opener.assignDateIps( new Date(\''+year+'\',\''+month+'\',\''+thisDay+'\'), \''+contextstr+'\', \''+formName+'\' );window.close()" class="modulelink">'+thisDay+'</a></td>'; 

There is no escaping on this line; it expects '(... \''+formName+'\' );...' be a line. But it can become something else:

 formName = "'); alert('I\'m free to do anything here'); (''+" 
 document.getElementById('calendarA').innerHTML = myValue; 

Put this snippet in myValue :

 ... <img src=void onerror="alert('hacked')" /> ... 

You can check if it works:

 document.querySelector('button').addEventListener('click', function () { document.querySelector('output').innerHTML = document.querySelector('textarea').value; }) 
 <textarea>... <img src=void onerror="alert('hacked')" /> ...</textarea> <button>Go</button> <output></output> 

You should not trust any data passed by url string. Any site can place any link to your site. Some users click on it, go to your site, the parameters are executed in the context of your site, and an attacker can do whatever he wants.

+2
source

Nothing in the code that you showed us is vulnerable.

You are reading user input, so itโ€™s possible to enter a vulnerability there. This is probably what the tool you are using detects.

If your code is vulnerable, it will be because of what you are doing with the value of formName next (in code that you did not show us).

0
source

This is a possible DOM based XSS problem.

If you use the formName value as document.getElementById("demo").innerHTML=formName or somehow your DOM elements are created / modified using formName , you are vulnerable, as I can create my own url like http://urwebsite.html?formName=<script>document.cookie_will_be_transfered_to_my_server_here</script> , and ask a registered user to click it (simple social engineering). Now I have this personโ€™s session ID with which I can do what I ever want.

As a permission, all user input must be html encoded.

0
source

Source: https://habr.com/ru/post/1012898/


All Articles