4

I have a page which redirects to a url from parameters in query string like:
page.html?redirectUrl=index.html
Inside the page i have code like this:
window.localtion.href = redirectUrl;
It is requiements to use redirect url by parameters. The page contains secure sensitive data. Someone can make the url with javascript like:
page.html?redirectUrl=javascript:alert(document.getElementById("password").value)
and secure data can be stolen.

How to prevent bypass javascript code to window.localtion.href?

Improve this question
6
  • By who would the data be stolen in this case? The user? They can get any data on the page anyway. Commented Jan 8, 2013 at 16:13
  • 3
    @Pekka웃 — The user (Alice) can follow a link to Bob's site from Malory's (the attacker) site. This is a classic XSS attack. Commented Jan 8, 2013 at 16:16
  • 2
    I'd step back and look at the problem the redirect is trying to solve in the first place. You might be able to check submitted URLs against a database or a pattern. Commented Jan 8, 2013 at 16:18
  • @Quentin Good idea if you have a fixed list of URLs. I'm not sure there exists a pattern for XSS attack, though. It would be too simple, now wouldn't it? Note that even Facebook struggles with it. Commented Jan 8, 2013 at 16:22
  • 1
    Other options would be to use a server side script to read the query string, parse the submitted URL as a URL (e.g. with URI::URL), check that it is an HTTP or HTTPS URI, and then error if it isn't. Even that exposes you to the risk that you'll be used as a layer of redirection by spammers though. Commented Jan 8, 2013 at 16:25

2 Answers 2

Reset to default
1

You might try putting the URL in an anchor element and checking the protocol:

var anchor = document.createElement("a");
anchor.href = redirectUrl;

if(anchor.protocol != "javascript:") {
    window.localtion.href = redirectUrl;
}

However, I'm not sure how good the browser support is for this, since MDN lists it as an HTML5 feature.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

This seems like it would work as long as you're not redirecting with it:

Javascript:

var field = document.getElementById("redirectUrl");
var newValue = String(field.value);
alert(newValue);

Basically, using the String constructor to "sanitize" the input.

These will probably help more with other cases:

https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet

Overall, I would recommend NOT using Javascript to sanitize input. If you're handling really sensitive or important data you are highly recommended to use a server-side language to validate and sanitize your input.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.