Here in my javascript function im using location.href as follows
location.href = "../Floder1/result.jsp"; it is working fine but when i used fortify tool it is showing Cross-site Scripting which can result in the browser executing malicious code. how to protect this from cross site scripting. Thank you very much,your answer will be very much appreciated.
Asked
Active
Viewed 1.4k times
7
tajMahal
- 418
- 6
- 18
- 40
-
where does the string that you are setting location.href come from? – kinakuta Aug 22 '14 at 06:40
-
Assigning value to location.href is wrong way?if so guide me please. – tajMahal Aug 22 '14 at 06:40
-
@Gabs00 ,flag does not do anything ,just for identification/validation i kept flag – tajMahal Aug 22 '14 at 06:42
-
@kinakuta,String come from cookies i think. – tajMahal Aug 22 '14 at 06:43
-
Can you provide more info on what exactly you are trying to achieve? The issue, and why you chose this solution – Gabs00 Aug 22 '14 at 06:45
-
http://stackoverflow.com/questions/24078332/is-it-secure-to-use-window-location-href-directly-without-validation ,i referred this link 2nd answer but i dont know how to implement for my current requirement. – tajMahal Aug 22 '14 at 06:45
-
@Gabs00,now check my question,i have edited.Just im assigning value to location.href. – tajMahal Aug 22 '14 at 06:48
2 Answers
1
This code should work only in firefox since Proxy isn't implemented in all browsers
What you can do is to replace the original location object with a proxied one where you add some logic to your proxy to check for allowed value for location. this will not protect against the direct modification of the original object (location) but if you use only the proxied object in your code you should be fine.
// suppose we are in example.com
let validator = {
set: function(obj, prop, val) {
if (prop === 'href') {
if(typeof val != 'string'){
throw new TypeError('href must be string.');
}
if (!val.startsWith("https://example.com/")) {
throw new Error('XSS');
}
}
obj[prop] = val;
return true;
},
get: function(obj, prop){
return prop in obj?
obj[prop] :
null;
}
};
let proxiedLocation = new Proxy(location, validator);
console.log(proxiedLocation.href);// work same as location.href
proxiedLocation.href = "https://example.com/page1";// work fine
proxiedLocation.href = "https://example.net/page1";// cause exception
marc_s
- 732,580
- 175
- 1,330
- 1,459
phoenixstudio
- 1,776
- 1
- 14
- 19
0
The Cross-site Scripting occurs when the user can put data in the webpage or get session data for example.
HOW PROTECT
You never allow inject code in your webpage. So, if you have a form, check it in the server and parse it before print in your page.
You shouldn't allow that the page content is changed by the href. You always escape the data before!.
Read this answer about location.href: https://stackoverflow.com/a/24089350/2389232
SAMPLE:
You have a iframe what changes with a GET variable:
sample.tld/index.jsp?iframe=none.jsp
I can inject a script to your iframe so you should protect it with escape characters:
// Escape the characters in the server and send it to the client.
// So the variable GET iframe will be valid
-
,how should i write condition for my current situation(question) to protect – tajMahal Aug 22 '14 at 06:51
-
snake,I'm not using any iframe in my code just i have this peace of code in my js function location.href = "../Floder1/result.jsp"; – tajMahal Aug 22 '14 at 06:55
-
1Which is the problem? These `location.href` redirect to another page. It is not a vulnerability. If **fortify tool** says that these line is a XSS vulnerability it is wrong. [Read this explain](http://stackoverflow.com/a/24089350/2389232). – SnakeDrak Aug 22 '14 at 06:58
-
If it solves your problem mark it please :). Otherwise say me what you want to do. Regards! – SnakeDrak Aug 22 '14 at 07:17