Is it secure to use window.location.href directly without validation

javascript security xss href window.location
53,882

Solution 1

Using location.href can be understood to include two things:

  1. Using the value of location.href by passing it around in your code, manipulating it and using it to guide the logic in your code.
  2. Assigning someting to location.href, causing the browser to navigate to different URLs.

The first one, using the value, can be considered safe. The value of location.href is nothing more than a string. Of course it's part of user input, so you don't want to pass it to an eval statement, but that's true for all other forms of user input as well. In fact, the value of location.href is always a valid URL, so certain assumptions can be made of its content. In that sense you could argue it's more safe than most forms of user input. As long as you don't make any wrong assumptions.

The second one is something you should be careful with. Assigning unvalidated values to it can lead to open redirects that can be used for phishing and what's more, XSS issues arising from the use of javascript: and vbscript: URIs.

Edit: As requested, here's a more in-depth explanation of the problems with assiging to location.href:

Say you have an attacker controlled variable foo. The source of it can be anything really, but a query string parameter is a good example. When you assign the value of foo to location.href, what happens? Well, the browser does its best to interpret the value as a URI and then redirects the user to the resulting address. In most cases, this will trigger a page load; e.g. if value is "https://www.google.com/", Google's front page will be loaded. Allowing that to happen without user interaction is known as an open redirect and is considered a security vulnerability!

There are, however, types of URIs that won't trigger a page load. A common example of such a URI would be one that contains nothing but a fragment identifier, e.g. #quux. Assigning that to location.href would cause the page to scroll to the element with the ID "quux" and do nothing else. Fragment URIs are safe as long as you don't do anything stupid with the values of the fragments themselves.

Then to the interesting part: javascript: and vbscript: URIs. These are the ones that will bite you. The JavaScript and VBScript URI schemes are non-standard URI schemes that can be used to execute code in the context of the currently open web page. Sounds bad, doesn't it? Well, it should. Consider our attacker-controlled variable foo: all an attacker has to do to launch an attack against your users is inject a script URI into the variable. When you assign it to location.href, it's basically the same as calling eval on the script.

JavaScript URIs work in all modern browsers, while VBScript is IE-only, and requires the page to be rendered in quirks mode.

Finally, there's one more interesting URI scheme to consider: the data URI. Data URIs are file literals: entire files encoded as URIs. They can be used to encode any files, including HTML documents. And those documents, like any others, can contain scripts.

Most browsers treat each data URI as its own unique origin. That means the scripts in an HTML document wrapped in a data URI can not access any data on other pages. Except in Firefox.

Firefox treats data URIs a bit differently from all other browsers. In it, data URIs inherit the origin of whatever document is opening it. That means any scripts can access the data contained in the referring document. And that's XSS for you.

Solution 2

A XSS is not possible under #1

The worst case I can think of is someone using that for Social Engineering (lets say your domain is really popular like Ebay or Amazon), what an attacker could do is craft a message saying something like "Amazon/Ebay free stuff for you, just go to http://haxor.site" using the URL and sending it to someone.

But still I don't find it dangerous, because of the URL encoding the message would look pretty messy.

EDIT: This only answer #1, since when I answered this question there wasn't a "#2"

Share:
53,882

Related videos on Youtube

overshadow
Author by

overshadow

Always learn new thing if giving the opportunity.

Updated on October 28, 2021

Comments

  • overshadow
    overshadow over 2 years

    Is it secure to use window.location.href without any validation?

    For example:

    <script>
    var value = window.location.href;
    alert(value);
</script>

    From the above example, is it vulnerable to Cross-site scripting (XSS) attack? If it is, then how? How the attacker can modify the value of window.location.href to the malicious content?

    Edit (Second Situation)

    This is the url : www.example.com?url=www.attack.com

    Just assume taht I have a getQueryString() function that will return value without validation.

    <script> 
    var value = getQueryString('url'); 
    window.location.href = value; 
</script>

    Same question, is it vulnerable to Cross-site scripting (XSS) attack? If it is, then how? How can an attacker just make use of "window.location.href = value" to perform XSS?

    • Niet the Dark Absol
      Niet the Dark Absol almost 10 years
      window.location.href is a string. Strings are harmless until you do something potentially harmful with them (innerHTML maybe, ... or eval)
    • overshadow
      overshadow almost 10 years
      The attacker able to modify the value of window.location.href or not? Cause if they able to do so I think this is dangerous. For example, if they can change the content of window.location.href, they might change it to ")alert("Inject successful!")//"
    • Niet the Dark Absol
      Niet the Dark Absol almost 10 years
      And what do you think that'll achieve? Have you tried it?
    • overshadow
      overshadow almost 10 years
      I don't know, I just wonder if they able to change the value of window.location.href or not.
    • Niet the Dark Absol
      Niet the Dark Absol almost 10 years
      But what difference would it make?
    • overshadow
      overshadow almost 10 years
      Thanks man, finally I understand what you were talking about. How about I modify the code to document.write(value);?
    • Niet the Dark Absol
      Niet the Dark Absol almost 10 years
      Then you would have a problem, because someone could pass <script>alert('Haaaaax!');</script>
    • overshadow
      overshadow almost 10 years
      That mean value of window.location.href is able to modify?
    • Niet the Dark Absol
      Niet the Dark Absol almost 10 years
      http://stackoverflow.com/?no-really-you-think-this-is-safe
  • overshadow
    overshadow almost 10 years
    I am interested in your second explanation in term of XSS. Could you please explain more and give some example on how XSS attack can perform based on this situation? For example, <script> var value = getQueryString('url'); window.location.href = value; </script> Just assume that I have a function getQueryString() that will return value without validation. Just "window.location.href = value" will cause XSS?
  • jupenur
    jupenur almost 10 years
    Edited the answer with some more details.
  • overshadow
    overshadow almost 10 years
    Thank you, your explanation is clear and helpful. Very much appreciated.
  • partizanos
    partizanos almost 5 years
    Consider checking security.stackexchange.com/questions/95362/… there are 2 examples of valid XSS attacks with javacscript:alert('xss')
  • Asiri H.
    Asiri H. almost 3 years
    This does not work for security tools like checkmarx.
  • Saurav
    Saurav almost 3 years
    Question was asking about the security reasons

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Is window.location = window.location susceptible to XSS
Javascript XSS Prevention
Sanitizing HTML input value
Why is Cloudfront loading scripts in my web app? (I don't use it)
Examples of XSS that I can use to test my page input?
How to temporarily disable XSS protection in modern browsers for testing?
Is it possible to XSS exploit JSON responses with proper JavaScript string escaping?
What is the difference between "window.location.href" and "window.location.hash"?
Is jQuery .text() method XSS safe?
What exactly can an IFrame do with the top.Location object (cross-domain)?