Cross Site Scripting issue with window.location.search

7
votes

I have been going through so many forums & wikipedia's since few days for trying to understand about XSS attacks alomost I have spent 2-3 days but still not get better idea as suggesting multiple solutions by experts & I want know how the hackers can inject malicious code on victims browser ? and my application have been use to run on some App Scanner standard testing tool so its caught so many XSS issues. I want put here one of XSS issue of my application so can please some one help me out to understand the what exactly I have to do for this issue. Still I have been trying a lot to get better understand about XSS issues. This is my code snippet 

function getParameter(param) {
        var val = "";
        var qs = window.location.search;
        var start = qs.indexOf(param);
        if (start != -1) {
                start += param.length + 1;
                var end = qs.indexOf("&", start);
                if (end == -1) {
                        end = qs.length
                }
                val = qs.substring(start,end);
        }
        return val;
}

var formName = getParameter("formName");
var myValue = '<a href="javascript:parent.opener.assignDateIps( new Date(\''+year+'\',\''+month+'\',\''+thisDay+'\'), \''+contextstr+'\', \''+formName+'\' );window.close()" class="modulelink">'+thisDay+'</a></td>';
document.getElementById('calendarA').innerHTML = myValue;

And these statements are 

var qs = window.location.search;
val = qs.substring(start,end);
var formName = getParameter("formName");
var myValue = '<a href="javascript:parent.opener.assignDateIps( new Date(\''+year+'\',\''+month+'\',\''+thisDay+'\'), \''+contextstr+'\', \''+formName+'\' );window.close()" class="modulelink">'+thisDay+'</a></td>';
document.getElementById('calendarA').innerHTML = myValue;

cought by App scanner testing tool as possible code for XSS(Cross Site Scripting) issues but I am not sure how it is cause to XSS & how I can fix this issue now. Can anybody please provide insights on how this vulnerability can be fixed?

3
javascriptxss
How do you use formName variable?Qwertiy
Hi Qwertiy, I am new to this application just joined few days back & directly working on XSS issues. As a developer I can say its is queryString param name & pass this param to getParameter() function & try to fetch the value of that param using window.location.search.Venkaiah Yepuri
How do you use the value afrer fetching it?Qwertiy
I think you could add your snippet on how you use the variable formName in your program..Tom Taylor
Sure Qwerity, RajasubaVenkaiah Yepuri

3 Answers

3
votes
var myValue = '<a href="javascript:parent.opener.assignDateIps( new Date(\''+year+'\',\''+month+'\',\''+thisDay+'\'), \''+contextstr+'\', \''+formName+'\' );window.close()" class="modulelink">'+thisDay+'</a></td>';

This line doesn't have any escaping, it expects '(... \''+formName+'\' );...' to be a string. But it can become some other thing:

formName = "'); alert('I\'m free to do anything here'); (''+"

document.getElementById('calendarA').innerHTML = myValue;

Let's place such fragment into myValue:

... <img src=void onerror="alert('hacked')" /> ...

You can check it works:

document.querySelector('button').addEventListener('click', function () {
  document.querySelector('output').innerHTML = document.querySelector('textarea').value;
})
<textarea>... <img src=void onerror="alert('hacked')" /> ...</textarea>
<button>Go</button>
<output></output>

You should never trust any data passed by url string. Any site can place any link to you site. Some user clicks it, goes to your site, parameters are executed in context of your site, and attacker can do anything he wants to.

1
votes

Nothing in the code you've shown us is vulnerable.

You are reading user input, so there is the potential to introduce a vulnerability there. That is probably what the tool you are using is detecting.

If your code is vulnerable, then it will be because of whatever you do with the value of formName next (in the code you haven't shown us).

1
votes

This is a possible DOM based XSS issue.

If you are using the value of formName like document.getElementById("demo").innerHTML=formName or somehow your DOM elements are being created/modified using the formName you are vulnerable, as i can create a custom url like http://urwebsite.html?formName=<script>document.cookie_will_be_transfered_to_my_server_here</script> and ask a logged in person to click it(simple social engineering) .Now i have that person's session id, using which i can do what ever i want.

As a resolution, all the input data from the user has to be html encoded.