Blocking XSS URL attacks

Domain hacking this javascript:

I see the following code in my javascript and need to harden my MVC site against XSS attacks

I already have a function which inspects the URL and rejects it if the domain is not white listed. I found lots of places in the javascript where domains are being constructed, yet I do not know if that domain can be hacked or not.

 window.location = window.Server.mapPath('~/TestAdminis/Index?testId=' + testId + '&redirectFromCreateTest=' + true);

What redirection trick could a hacker play if the code above is used?

This javascript is clearly assigning the URL of the href attribute of window.location.

So, when the page renders, that URL value exists in the DOM. And a hacker could use some tool to insert his own domain and url into that variable.

Do I have that right?

What do I do about it?

newbiewebSr. Software EngineerAsked:
Who is Participating?
Dave BaldwinConnect With a Mentor Fixer of ProblemsCommented:
Ctrl-Shift-J bring ups the develop console and error log.  You should look at that.  I could not find ANY instance of Server.mapPath on any non-Microsoft software.
Dave BaldwinConnect With a Mentor Fixer of ProblemsCommented:
What are you doing?  As far as I can tell, "Server.mapPath" is a strictly Microsoft function and won't work in non-Microsoft browsers.
newbiewebSr. Software EngineerAuthor Commented:
I am new to this project, but our website only supports FireFox. Strange.

It seems to be used in AJAX calls...for example...

                url: top.Server.mapPath("~/UserAssignment/GetUserAssignments"),
                dataType: "json",
                data: filters,
                type: "POST",
                cache: false,
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

btanConnect With a Mentor Exec ConsultantCommented:
May want to encode testId
The general accepted practice is that encoding takes place at the point of output and encoded values should never be stored in a database. Encoding at the point of output allows you to change the use of data

var example = "\"Quoted Value with spaces and &\"";
   var encodedValue = _urlEncoder.Encode(example);

After encoding the encodedValue variable will contain %22Quoted%20Value%20with%20spaces%20and%20%26%22. Spaces, quotes, punctuation and other unsafe characters will be percent encoded to their hexadecimal value, for example a space character will become %20.
newbiewebSr. Software EngineerAuthor Commented:
So, how exactly does encoding query params make it harder to hack? I see the data assigned to an ID must be encrypted.

How would "projectId" look when it's encoded?

newbiewebSr. Software EngineerAuthor Commented:
Thanks. I know that IE was once a supported platform, but at the moment, our apps only work on Firefox. FF ESR 52.6.

Strange that it does not seem to cause a failure on Firefox.

I guess I could try and debug that and find out.
Dave BaldwinConnect With a Mentor Fixer of ProblemsCommented:
Often Firefox will just skip over something that does not make sense to it.  You can find out a lot about your pages in the console.
newbiewebSr. Software EngineerAuthor Commented:
btanExec ConsultantCommented:
Once encoding is done most of the param value sort of becomes a string with those (let say) angle brackets etc needed for enclosing JS scripts become inactive. It can no longer be active script that run when process by browser..
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.