I have been going through so many forums & wikipedia's since few days for trying to understand about XSS attacks alomost I have spent 2-3 days but still not get better idea as suggesting multiple solutions by experts & I want know how the hackers can inject malicious code on victims browser ? and my application have been use to run on some App Scanner standard testing tool so its caught so many XSS issues. I want put here one of XSS issue of my application so can please some one help me out to understand the what exactly I have to do for this issue. Still I have been trying a lot to get better understand about XSS issues. This is my code snippet
function getParameter(param) {
var val = "";
var qs = window.location.search;
var start = qs.indexOf(param);
if (start != -1) {
start += param.length + 1;
var end = qs.indexOf("&", start);
if (end == -1) {
end = qs.length
}
val = qs.substring(start,end);
}
return val;
}
var formName = getParameter("formName");
var myValue = '<a href="javascript:parent.opener.assignDateIps( new Date(\''+year+'\',\''+month+'\',\''+thisDay+'\'), \''+contextstr+'\', \''+formName+'\' );window.close()" class="modulelink">'+thisDay+'</a></td>';
document.getElementById('calendarA').innerHTML = myValue;I have been going through so many forums & wikipedia's since few days for trying to understand about XSS attacks alomost I have spent 2-3 days but still not get better idea as suggesting multiple solutions by experts & I want know how the hackers can inject malicious code on victims browser ? and my application have been use to run on some App Scanner standard testing tool so its caught so many XSS issues. I want put here one of XSS issue of my application so can please some one help me out to understand the what exactly I have to do for this issue. Still I have been trying a lot to get better understand about XSS issues. This is my code snippet
function getParameter(param) {
var val = "";
var qs = window.location.search;
var start = qs.indexOf(param);
if (start != -1) {
start += param.length + 1;
var end = qs.indexOf("&", start);
if (end == -1) {
end = qs.length
}
val = qs.substring(start,end);
}
return val;
}
var formName = getParameter("formName");
var myValue = '<a href="javascript:parent.opener.assignDateIps( new Date(\''+year+'\',\''+month+'\',\''+thisDay+'\'), \''+contextstr+'\', \''+formName+'\' );window.close()" class="modulelink">'+thisDay+'</a></td>';
document.getElementById('calendarA').innerHTML = myValue;And these statements are
var qs = window.location.search;
val = qs.substring(start,end);
var formName = getParameter("formName");
var myValue = '<a href="javascript:parent.opener.assignDateIps( new Date(\''+year+'\',\''+month+'\',\''+thisDay+'\'), \''+contextstr+'\', \''+formName+'\' );window.close()" class="modulelink">'+thisDay+'</a></td>';
document.getElementById('calendarA').innerHTML = myValue;
cought by App scanner testing tool as possible code for XSS(Cross Site Scripting) issues but I am not sure how it is cause to XSS & how I can fix this issue now. Can anybody please provide insights on how this vulnerability can be fixed?
Share Improve this question edited Dec 5, 2016 at 14:28 Venkaiah Yepuri asked Dec 5, 2016 at 12:59 Venkaiah YepuriVenkaiah Yepuri 1,6514 gold badges20 silver badges31 bronze badges 7-
1
How do you use
formNamevariable? – Qwertiy Commented Dec 5, 2016 at 13:11 - Hi Qwertiy, I am new to this application just joined few days back & directly working on XSS issues. As a developer I can say its is queryString param name & pass this param to getParameter() function & try to fetch the value of that param using window.location.search. – Venkaiah Yepuri Commented Dec 5, 2016 at 13:15
- How do you use the value afrer fetching it? – Qwertiy Commented Dec 5, 2016 at 13:16
-
I think you could add your snippet on how you use the variable
formNamein your program.. – Tom Taylor Commented Dec 5, 2016 at 13:24 - Sure Qwerity, Rajasuba – Venkaiah Yepuri Commented Dec 5, 2016 at 13:26
3 Answers
Reset to default 3var myValue = '<a href="javascript:parent.opener.assignDateIps( new Date(\''+year+'\',\''+month+'\',\''+thisDay+'\'), \''+contextstr+'\', \''+formName+'\' );window.close()" class="modulelink">'+thisDay+'</a></td>';
This line doesn't have any escaping, it expects '(... \''+formName+'\' );...' to be a string. But it can bee some other thing:
formName = "'); alert('I\'m free to do anything here'); (''+"
document.getElementById('calendarA').innerHTML = myValue;
Let's place such fragment into myValue:
... <img src=void onerror="alert('hacked')" /> ...
You can check it works:
document.querySelector('button').addEventListener('click', function () {
document.querySelector('output').innerHTML = document.querySelector('textarea').value;
})<textarea>... <img src=void onerror="alert('hacked')" /> ...</textarea>
<button>Go</button>
<output></output>You should never trust any data passed by url string. Any site can place any link to you site. Some user clicks it, goes to your site, parameters are executed in context of your site, and attacker can do anything he wants to.
Nothing in the code you've shown us is vulnerable.
You are reading user input, so there is the potential to introduce a vulnerability there. That is probably what the tool you are using is detecting.
If your code is vulnerable, then it will be because of whatever you do with the value of formName next (in the code you haven't shown us).
This is a possible DOM based XSS issue.
If you are using the value of formName like document.getElementById("demo").innerHTML=formName or somehow your DOM elements are being created/modified using the formName you are vulnerable,
as i can create a custom url like http://urwebsite.html?formName=<script>document.cookie_will_be_transfered_to_my_server_here</script> and ask a logged in person to click it(simple social engineering) .Now i have that person's session id, using which i can do what ever i want.
As a resolution, all the input data from the user has to be html encoded.