XSS with javascript:alert()

Related searches

I'm working on some Reflected Cross-site scripting (XSS) vulnerabilities on our site (php, html,...) AppSpider is reporting one I cannot resolve.

Location: javascript:alert(10829224)

Usually AppSpider lists the url with the js in it. This time it does not. It just lists the querystring: url=javascript:alert(12345)

When I try to test by adding this to the url of the page listed, I get nothing: /path/to/page.html?url=javascript:alert(12345) If I add script tags: /path/to/page.html?url=<script>javascript:alert(12345)</script> I get the alert popup.

Question 1- does javascript:alert() without script tags work? viable js?

Question 2- How can I escape or prevent this type of attack?

We have code to filter out bad unicode chars (thanks: http://stackoverflow.com/questions/3466035/how-to-skip-invalid-characters-in-xml-file-using-php). It works great on nullifying the <script></script> tags, but apparently it does not help in this case.

Thanks for any tips or tricks

It turns out that the page I'm working on is expecting a relative path to a file in the $_REQUEST['url'] var. So, I was able to take a different approach then trying to parse out or replace javascript. I used php's parse_url() function. Cheap hack, but it works for this one-off page/case.

if (isset($_REQUEST['url']) && valid_script_name_passed_in($_REQUEST['url']) ) {

function valid_script_name_passed_in($request_value){
    $parts = parse_url($request_value);
    if( is_array($parts) ){
        if( isset($parts['scheme']) || isset($parts['host'] ){
            return false;
    return true;

XSS with javascript:alert(), Question 1- does javascript:alert() without script tags work? viable js? Question 2- How can I escape or prevent this type of attack? We have code� <script>alert(‘XSS’)</script> Then after clicking on the “Search”button, the entered script will be executed. As we see in the Example,the script typed into the search field gets executed. This just shows the vulnerability of the XSS attack.

using "javascript:" in a URL tag will execute the javascript following the colon when the link is clicked.

Can't tell you with certainty without the details, but it seems like the warning is that the "URL=" is vulnerable to user modification, which would allow a user to change the url="javascript:[malicious code goes here]" to inject malicious code.

You used to see this problem a lot on sites where someone could post a URL to their homepage, and without being checked, could just include a javascript instead.

You can't escape it, it needs to be sanitized server-side to prevent a user from being allow to insert javascript code.

Cross Site Scripting (XSS) Attack Tutorial with Examples, Types , Many testers mix up Cross Site Scripting attack with Javascript http://testing. com/book.html?default=<script>alert(document.cookie)</script>. Unfortunately, XSS vulnerabilities can result in much more than alerts on a page (a pop-up alert is just a convenient way for an attacker or researcher to detect the presence of an XSS bug).

Question 1- does javascript:alert() without script tags work?

On your website querystring is sometimes rendered on a page. If it's rendered in html - then tags needed. If it's rendered inside javascript code - then it might work without tags.

Question 2- How can I escape or prevent this type of attack?

General solution is to escape user's input when printing it on a page. In PHP best function for that is htmlspecialchars. It will replace all special characters with html entities. For example,it will replace & to &amp .This way text will look unchanged, but XSS injection will be prevented.

In your case I guess you expect a valid URL in ?url=xxx query parameter. Then escaping will not work, as escaping will destroy URL. In this case you might want to validate if provided string is a valid URL. Here discussed few options for URL validation.

XSS 101, Cross-site scripting (XSS) is both the name of the most common vulnerability in web applications and the h1>. Triggering the classic javascript alert box. I did with modern versions of IE, FF and Chrome. Don't have any older browsers so that's why I was asking. – Matthew Dec 1 '09 at 23:32

Cross-site scripting: How to go beyond the alert, For those who are unfamiliar with XSS, it is a specific form of code injection where user input, in the form of JavaScript, is interpreted and executed by a web � <STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE> <STYLE type="text/css">BODY{background:url("<javascript:alert>('XSS')")}</STYLE> Anonymous HTML with STYLE attribute IE6.0 and Netscape 8.1+ in IE rendering engine mode don’t really care if the HTML tag you build exists or not, as long as it starts with an open

XSS Game Writeup. Description : Cross-site scripting…, Description : Cross-site scripting (XSS) bugs are one of the most Level 1 inject a script to pop up a JavaScript alert() in the frame below. Definition and Usage The alert () method displays an alert box with a specified message and an OK button. An alert box is often used if you want to make sure information comes through to the user. Note: The alert box takes the focus away from the current window, and forces the browser to read the message.

XSS-Payload-List or Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites.

  • Use regex to properly filter your URL: Replace(url, @"[^-A-Za-z0-9+&@#/%?=~_|!:,.;()]", ""); and run that on all input you receive. NEVER trust input.
  • Possible duplicate of How does XSS work?
  • It's safer to just have a whitelist of valid values, and use exact string matching against that whitelist.