Is it secure to use window.location.href directly without validation
window.location.href taking time
window.location.replace not working
window location host
wkwebview window location href
Is it secure to use window.location.href without any validation?
<script> var value = window.location.href; alert(value); </script>
From the above example, is it vulnerable to Cross-site scripting (XSS) attack? If it is, then how? How the attacker can modify the value of window.location.href to the malicious content?
Edit (Second Situation)
This is the url : www.example.com?url=www.attack.com
Just assume taht I have a getQueryString() function that will return value without validation.
<script> var value = getQueryString('url'); window.location.href = value; </script>
Same question, is it vulnerable to Cross-site scripting (XSS) attack? If it is, then how? How can an attacker just make use of "window.location.href = value" to perform XSS?
location.href can be understood to include two things:
- Using the value of
location.hrefby passing it around in your code, manipulating it and using it to guide the logic in your code.
- Assigning someting to
location.href, causing the browser to navigate to different URLs.
The first one, using the value, can be considered safe. The value of
location.href is nothing more than a string. Of course it's part of user input, so you don't want to pass it to an
eval statement, but that's true for all other forms of user input as well. In fact, the value of
location.href is always a valid URL, so certain assumptions can be made of its content. In that sense you could argue it's more safe than most forms of user input. As long as you don't make any wrong assumptions.
The second one is something you should be careful with. Assigning unvalidated values to it can lead to open redirects that can be used for phishing and what's more, XSS issues arising from the use of
Edit: As requested, here's a more in-depth explanation of the problems with assiging to
Say you have an attacker controlled variable
foo. The source of it can be anything really, but a query string parameter is a good example. When you assign the value of
location.href, what happens? Well, the browser does its best to interpret the value as a URI and then redirects the user to the resulting address. In most cases, this will trigger a page load; e.g. if
"https://www.google.com/", Google's front page will be loaded. Allowing that to happen without user interaction is known as an open redirect and is considered a security vulnerability!
There are, however, types of URIs that won't trigger a page load. A common example of such a URI would be one that contains nothing but a fragment identifier, e.g.
#quux. Assigning that to
location.href would cause the page to scroll to the element with the ID "quux" and do nothing else. Fragment URIs are safe as long as you don't do anything stupid with the values of the fragments themselves.
Then to the interesting part:
foo: all an attacker has to do to launch an attack against your users is inject a script URI into the variable. When you assign it to
location.href, it's basically the same as calling
eval on the script.
Finally, there's one more interesting URI scheme to consider: the data URI. Data URIs are file literals: entire files encoded as URIs. They can be used to encode any files, including HTML documents. And those documents, like any others, can contain scripts.
Most browsers treat each data URI as its own unique origin. That means the scripts in an HTML document wrapped in a data URI can not access any data on other pages. Except in Firefox.
Firefox treats data URIs a bit differently from all other browsers. In it, data URIs inherit the origin of whatever document is opening it. That means any scripts can access the data contained in the referring document. And that's XSS for you.
A XSS is not possible under #1
The worst case I can think of is someone using that for Social Engineering (lets say your domain is really popular like Ebay or Amazon), what an attacker could do is craft a message saying something like "Amazon/Ebay free stuff for you, just go to http://haxor.site" using the URL and sending it to someone.
But still I don't find it dangerous, because of the URL encoding the message would look pretty messy.
EDIT: This only answer #1, since when I answered this question there wasn't a "#2"
Barebones Security, We like using templates to avoid shared code, so we use However, we have a problem. window.location.href contains whatever is in the browser's editable by the user directly and via a link in an email, Facebook message, etc. growth where there are no budgets, let alone one for Information Security. But how about if I have to do a post submission, then if the data is valid, I would like to perform a redirect using window.location.href Can somebody explain to me how this can be done? Thanks! Thanks!
var value = getQueryString('url'); window.location.href = encodeURI(value);
I think this is the easiest way
How to make workaround for window.location.href?, location.href? Given a URL, the task is to use the current address of the page and to perform an operation using this address. 15 Is it secure to use window.location.href directly without validation 9 How to Call Static Function In Symfony2 Twig Template 5 Symfony: Service Container VS Static Method
Closure: The Definitive Guide: Google Tools to Add Power to Your , One example of the successful use of JSONP to access private data is in the Facebook API, the JSONP request, as the server will have no chance to validate it before passing it on to the user. because adding a foreign <script> tag to your page can introduce a serious security vulnerability. Uri(window.location.href)). Window Location. The window.location object can be written without the window prefix.. Some examples: window.location.href returns the href (URL) of the current page; window.location.hostname returns the domain name of the web host
Secure and Resilient Software Development, The fragment part of the location/URL object, in which case the server does not object can be retrieved via ExternalInterface.call(“window.document.location.href. Use the strongest input validation approach you can (ideally, “exact 112 Simple Security Tip: window.location = window.location.pathname can cause Open-Redirect issue! I found this issue in a website and I thought it would be nice to share the info. If you search “window.location = window.location.pathname” in Google, you will see some people are using this method for redirection purposes.
window.location.hrefis a string. Strings are harmless until you do something potentially harmful with them (
innerHTMLmaybe, ... or
- The attacker able to modify the value of window.location.href or not? Cause if they able to do so I think this is dangerous. For example, if they can change the content of window.location.href, they might change it to ")alert("Inject successful!")//"
- And what do you think that'll achieve? Have you tried it?
- I don't know, I just wonder if they able to change the value of window.location.href or not.
- Then you would have a problem, because someone could pass
- I am interested in your second explanation in term of XSS. Could you please explain more and give some example on how XSS attack can perform based on this situation? For example, <script> var value = getQueryString('url'); window.location.href = value; </script> Just assume that I have a function getQueryString() that will return value without validation. Just "window.location.href = value" will cause XSS?
- Edited the answer with some more details.
- Thank you, your explanation is clear and helpful. Very much appreciated.
- Consider checking security.stackexchange.com/questions/95362/… there are 2 examples of valid XSS attacks with javacscript:alert('xss')