XSS with javascript:alert()

Question

I'm working on some Reflected Cross-site scripting (XSS) vulnerabilities on our site (php, html,...) AppSpider is reporting one I cannot resolve.

Location: javascript:alert(10829224)

Usually AppSpider lists the url with the js in it. This time it does not. It just lists the querystring: url=javascript:alert(12345)

When I try to test by adding this to the url of the page listed, I get nothing: /path/to/page.html?url=javascript:alert(12345) If I add script tags: /path/to/page.html?url=<script>javascript:alert(12345)</script> I get the alert popup.

Question 1- does javascript:alert() without script tags work? viable js?

Question 2- How can I escape or prevent this type of attack?

We have code to filter out bad unicode chars (thanks: http://stackoverflow.com/questions/3466035/how-to-skip-invalid-characters-in-xml-file-using-php). It works great on nullifying the <script></script> tags, but apparently it does not help in this case.

Thanks for any tips or tricks

Use regex to properly filter your URL: Replace(url, @"[^-A-Za-z0-9+&@#/%?=~_|!:,.;]", ""); and run that on all input you receive. NEVER trust input. — Lulceltech, May 21 '19 at 20:52
Possible duplicate of [How does XSS work?](https://stackoverflow.com/questions/239194/how-does-xss-work) — miken32, May 21 '19 at 22:44

score 2 · Answer 1 · answered May 24 '19 at 15:05

It turns out that the page I'm working on is expecting a relative path to a file in the $_REQUEST['url'] var. So, I was able to take a different approach then trying to parse out or replace javascript. I used php's parse_url() function. Cheap hack, but it works for this one-off page/case.

if (isset($_REQUEST['url']) && valid_script_name_passed_in($_REQUEST['url']) ) {
 ...
}else{
 ...
}

function valid_script_name_passed_in($request_value){
    $parts = parse_url($request_value);
    if( is_array($parts) ){
        if( isset($parts['scheme']) || isset($parts['host'] ){
            return false;
        }
    }
    return true;
}

It's safer to just have a whitelist of valid values, and use exact string matching against that whitelist. — user229044, May 24 '19 at 15:10

score 0 · Answer 2 · answered May 21 '19 at 20:57

using "javascript:" in a URL tag will execute the javascript following the colon when the link is clicked.

Can't tell you with certainty without the details, but it seems like the warning is that the "URL=" is vulnerable to user modification, which would allow a user to change the url="javascript:[malicious code goes here]" to inject malicious code.

You used to see this problem a lot on sites where someone could post a URL to their homepage, and without being checked, could just include a javascript instead.

You can't escape it, it needs to be sanitized server-side to prevent a user from being allow to insert javascript code.

score -1 · Answer 3 · answered May 21 '19 at 21:06

Question 1- does javascript:alert() without script tags work?

On your website querystring is sometimes rendered on a page. If it's rendered in html - then tags needed. If it's rendered inside javascript code - then it might work without tags.

Question 2- How can I escape or prevent this type of attack?

General solution is to escape user's input when printing it on a page. In PHP best function for that is htmlspecialchars. It will replace all special characters with html entities. For example,it will replace & to &amp .This way text will look unchanged, but XSS injection will be prevented.

In your case I guess you expect a valid URL in ?url=xxx query parameter. Then escaping will not work, as escaping will destroy URL. In this case you might want to validate if provided string is a valid URL. Here discussed few options for URL validation.

XSS with javascript:alert()

3 Answers3