3

Consider the following code:

function redirect() {
    window.location = "../../index.aspx?<%=Request.QueryString%>";
}

Is this code safe or can it be exploited by an XSS attack?

If so:

  1. How?
  2. How to prevent it?
Improve this question
6
  • Definitely exploitable. You need to do some encoding to prevent JavaScript from being injected via the query string. Commented Mar 12, 2013 at 11:07
  • How would this be exploitable? The ' is encoded right? Commented Mar 12, 2013 at 11:08
  • If the user takes his browser somewhere else, would that count as XSS? I don't think so. Sure this allows me to play javascript tricks, but other users should be safe. Commented Mar 12, 2013 at 11:10
  • Think of this as a querystring: xx"; $.runBadJavascript(); window.location = "whatever Commented Mar 12, 2013 at 11:12
  • @nunespascal you seem to be making a common mistake: thinking no one would send someone else a malicious link. That's the basis of many xss attacks. Commented Mar 12, 2013 at 11:14

1 Answer 1

Reset to default
4

Consider this as a querystring:

Xx"; alert('pwned'); window.location ="whatever

Basically, you are allowing completely arbitrary JavaScript to be injected.

Best solution: never take direct user input and use it this way.

Second best solution: encode it for use in a JavaScript string before using it there. A simple " breaks out here.

Also; do not mistakenly do HTML encoding for this. That won't work right and will still be vulnerable.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Umm... Request.Querystring returns the raw, unencoded string. It is not encoded.
@kees but it is not the ; that is your problem here; it's the "
@kees and the WebForms engine (aspx, etc) is not encoding with <%= either.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.