curiouswebster
asked on
Blocking XSS URL attacks
Domain hacking this javascript:
I see the following code in my javascript and need to harden my MVC site against XSS attacks
I already have a function which inspects the URL and rejects it if the domain is not white listed. I found lots of places in the javascript where domains are being constructed, yet I do not know if that domain can be hacked or not.
window.location = window.Server.mapPath('~/T estAdminis /Index?tes tId=' + testId + '&redirectFromCreateTest=' + true);
What redirection trick could a hacker play if the code above is used?
This javascript is clearly assigning the URL of the href attribute of window.location.
So, when the page renders, that URL value exists in the DOM. And a hacker could use some tool to insert his own domain and url into that variable.
Do I have that right?
What do I do about it?
Thanks
I see the following code in my javascript and need to harden my MVC site against XSS attacks
I already have a function which inspects the URL and rejects it if the domain is not white listed. I found lots of places in the javascript where domains are being constructed, yet I do not know if that domain can be hacked or not.
window.location = window.Server.mapPath('~/T
What redirection trick could a hacker play if the code above is used?
This javascript is clearly assigning the URL of the href attribute of window.location.
So, when the page renders, that URL value exists in the DOM. And a hacker could use some tool to insert his own domain and url into that variable.
Do I have that right?
What do I do about it?
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So, how exactly does encoding query params make it harder to hack? I see the data assigned to an ID must be encrypted.
How would "projectId" look when it's encoded?
Thanks
How would "projectId" look when it's encoded?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks. I know that IE was once a supported platform, but at the moment, our apps only work on Firefox. FF ESR 52.6.
Strange that it does not seem to cause a failure on Firefox.
I guess I could try and debug that and find out.
Strange that it does not seem to cause a failure on Firefox.
I guess I could try and debug that and find out.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks
Once encoding is done most of the param value sort of becomes a string with those (let say) angle brackets etc needed for enclosing JS scripts become inactive. It can no longer be active script that run when process by browser.. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#Why_Can.27t_I_Just_HTML_Entity_Encode_Untrusted_Data.3F
ASKER
It seems to be used in AJAX calls...for example...
$.ajax({
url: top.Server.mapPath("~/User
dataType: "json",
data: filters,
type: "POST",
cache: false,