Blocking XSS URL attacks

Domain hacking this javascript:

I see the following code in my javascript and need to harden my MVC site against XSS attacks

I already have a function which inspects the URL and rejects it if the domain is not white listed. I found lots of places in the javascript where domains are being constructed, yet I do not know if that domain can be hacked or not.

 window.location = window.Server.mapPath('~/TestAdminis/Index?testId=' + testId + '&redirectFromCreateTest=' + true);

What redirection trick could a hacker play if the code above is used?

This javascript is clearly assigning the URL of the href attribute of window.location.

So, when the page renders, that URL value exists in the DOM. And a hacker could use some tool to insert his own domain and url into that variable.

Do I have that right?

What do I do about it?

newbiewebSr. Software EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
What are you doing?  As far as I can tell, "Server.mapPath" is a strictly Microsoft function and won't work in non-Microsoft browsers.
newbiewebSr. Software EngineerAuthor Commented:
I am new to this project, but our website only supports FireFox. Strange.

It seems to be used in AJAX calls...for example...

                url: top.Server.mapPath("~/UserAssignment/GetUserAssignments"),
                dataType: "json",
                data: filters,
                type: "POST",
                cache: false,
btanExec ConsultantCommented:
May want to encode testId
The general accepted practice is that encoding takes place at the point of output and encoded values should never be stored in a database. Encoding at the point of output allows you to change the use of data

var example = "\"Quoted Value with spaces and &\"";
   var encodedValue = _urlEncoder.Encode(example);

After encoding the encodedValue variable will contain %22Quoted%20Value%20with%20spaces%20and%20%26%22. Spaces, quotes, punctuation and other unsafe characters will be percent encoded to their hexadecimal value, for example a space character will become %20.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

newbiewebSr. Software EngineerAuthor Commented:
So, how exactly does encoding query params make it harder to hack? I see the data assigned to an ID must be encrypted.

How would "projectId" look when it's encoded?

Dave BaldwinFixer of ProblemsCommented:
Ctrl-Shift-J bring ups the develop console and error log.  You should look at that.  I could not find ANY instance of Server.mapPath on any non-Microsoft software.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
newbiewebSr. Software EngineerAuthor Commented:
Thanks. I know that IE was once a supported platform, but at the moment, our apps only work on Firefox. FF ESR 52.6.

Strange that it does not seem to cause a failure on Firefox.

I guess I could try and debug that and find out.
Dave BaldwinFixer of ProblemsCommented:
Often Firefox will just skip over something that does not make sense to it.  You can find out a lot about your pages in the console.
newbiewebSr. Software EngineerAuthor Commented:
btanExec ConsultantCommented:
Once encoding is done most of the param value sort of becomes a string with those (let say) angle brackets etc needed for enclosing JS scripts become inactive. It can no longer be active script that run when process by browser..
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.