In my JavaScript application, we have multiple places where we have used window.location.href="any string";. Now I want to write JS code in only one place (probably using window.location.prototype) to override assignments to href, so that I can append a parameter to all instances.
I want to append a parameter (e.g. "?abc=1234") to all urls which are assigned to window.location.href.
I want to write code that means when e.g.
window.location.href = "abc.html";
is written, it should actually result in the href being set to abc.html?abc=1234.
window.location.href = window.location.href + "?abc=1234"
I just test this in WebKit DevTools/
You can't actually do this.
It's more of the JavaScript engine which runs the page. All records in most browsers which are stored of your browsing is the history. Hardly anything else. So basically to the browser, there is no difference between a meta redirect, a header redirect and a javascript redirect.
Unless I'm wrong.
Related
SCENARIO:
A web page shows an error login page using these javascript lines
<script>
let queryParams = new URLSearchParams(window.location.search);
document.getElementById("message").innerText = queryParams.get("message");
let link = document.getElementById("link");
link.innerText = queryParams.get("linkText");
link.href = queryParams.get("linkUrl");
</script>
The last javascript line allows me to hide javascript inside a link in the web page crafting an url like the following.
https://vulnerablewebsite.com/folder/custom.html?message=not+correct?&linkUrl=javascript:alert(1)&linkText=click+here+to+shine
1) the user click the shortened version of this link
2) the user click "click here to shine"
3) the alert opens
I was inspired by this article on portswigger
https://portswigger.net/web-security/cross-site-scripting/dom-based
in particular from this example
If a JavaScript library such as jQuery is being used, look out for
sinks that can alter DOM elements on the page. For instance, the
attr() function in jQuery can change attributes on DOM elements. If
data is read from a user-controlled source like the URL and then
passed to the attr() function, then it may be possible to manipulate
the value sent to cause XSS. For example, here we have some JavaScript
that changes an anchor element's href attribute using data from the
URL:
$(function(){ $('#backLink').attr("href",(new
URLSearchParams(window.location.search)).get('returnUrl')); });
You can exploit this by modifying the URL so that the location.search
source contains a malicious JavaScript URL. After the page's
JavaScript applies this malicious URL to the back link's href,
clicking on the back link will execute it:
?returnUrl=javascript:alert(document.domain)
QUESTION:
to me they look the same kind of attack but someone told me it is a self-XSS. Anyway I read that self-XSS expects the user to self-paste javascript code in his console. So I'm confused and I'd like to know which type it is. Also, can be considered a vulnerability of medium/high severity or not?
Naming doesn't matter much, but
It is definitely a vulnerability, according to CVSSv3 it would likely be a medium, but you can calculate yourself for this specific case.
It is not self xss, you yourself showed a way via a link that if sent to a victim by an attacker would make the page vulnerable.
It is definitely dom xss as it is entirely in javascript, no server roundtrip is necessary.
I am on my way to some web development at the moment. There I have a set of views (different versions of the site the user will be able to see). Many of those allow some interaction that is JS/Ajax based. This is just the context of this question:
Where can I put the request URLs of the various ajax requests?
I know this seems a little stupid this question thus let me explain a bit. I assume jQuery but this question is basically not strictly related to it. I will try to give very minimalistic snippets to see the idea, these are of course not 1:1 correct/finished/good.
Typically such a site has not only one single type of request but a whole bunch of these. Think of a site where the user sees his personal data like name, mail, address, phone etc. On clicking on one such entry, a minimal form should be displayed to allow modification of the entry. Of course you need minor changes in the replacements (e.g. distinguish between change name and change phone).
First approach was to write ajax code for each and every possible entry separately in a JS file. I mean that each entry gets its own html id and I just replace the content of the element with the named id with the new content. I write code for each id explicitly in JS causing quite some redundancy in code (although a well designed set of functions will help here):
$("#name").click(function(){ /* replace #name, hardcode url */});
$("#phone").click(function(){ /* replace #phone, hardcode url */});
One other way was to put some <a> tag with the href set to the url of the AJAX request. Then the developer can define some classes that need to follow a defined and fixed scheme. The JS code gets smaller in size as only a single event must be registered and I need to follow the convention throughout the site.
<div class='foo'>... <a href="ajax.php?first" class="ajax"></div>
<div class='foo'>... <a href="ajax.php?second" class="ajax"></div>
and the simplified JS:
$(".foo a.ajax").click(function(ev){ /* do something and use source of ev to fetch the url */ });
This second method could be done even worse if you did put the url in any html tag and hide it from the user (scary).
Ideally one should write the page such, that all interaction that is AJAX-enabled should be doable with JS disabled as well. Thus I think the way of putting the urls in <a> tags is not good. However I think hardcoding them is also not ideal.
So did I miss a useful/typical part of how one can do this? is there even some consesus where such data can be located best?
If your website is big enough, you should seperate your urls based on modules such as banking, finance, user etc. But if you do not have that much urls, you can store all of them in a single javascript file.
You should store BASE url in a single javascript file with all of should import it(in case of your domain changes or development to production mode).
//base_url.js
var BASE_URL_PROD = "www......com"; // production server url
var BASE_URL_DEV = "localhost:3000"; // local server url
var BASE_URL = BASE_URL_DEV; // change this if you are on dev or prod mode.
// urls.js
var FETCH_USER = BASE_URL + "/user/fetch";
var SAVE_USER = BASE_URL + "/user/save";
// in some javascript class
$("#clickMe").ajax({url: FETCH_USER} ...);
The question here is: do you want to offer a way to access the information, if javascript is turned off or not loaded yet?
You already answered yourself: If javascript is disabled or not loaded yet, the user will directly go to the given url.
If you want to offer a none-javascript way, change your controller and check for ajax request or just use the javascript way, like Abdullah described already.
I'm using a WebView to scrape an unholy mess of a website with a bizarre mix of HTTP and Javascript redirects. In my injected script, I need to get the current URL, but it seems like none of the relevant properties ever return anything other than the URL I passed to WebView.loadUrl, even after a redirect.
I've tried:
window.location
window.location.href
document.URL
document.location
document.location.href
document.documentURI
So what's going on here and how am I supposed to get the current page's URL with Javascript?
I was injecting my script in the WebViewClient.onPageStarted method to try and make it execute as soon as possible, but it appears that the window context isn't completely set up at that point. When I moved my injection code to WebViewClient.onPageFinished, it started retrieving an accurate URL from the properties I listed. It's not really an ideal solution, since my script now has to wait for the entire page to load, but I don't know of any other way to do it.
Just explaining my question in short.
I have asp.net website with root structure as following
root Directory->
Admin
abc.aspx
xyz.aspx
index.aspx
Now I want to redirect from abc.aspx to index.aspx.
I'm using JavaScript as
window.location = "../index.aspx";
but found no any luck.
This is a very odd trick. But it works.
Have a hidden field in the page. This needn't be a server control. (Or if you want, you can even do without one.). For brevity sake I am assuming you've used a server HiddenField control, called hfNavUrl. Do something like this.
hfNavUrl.Value = Me.ResolveUrl("~/index.aspx")
Once this renders you get the full url. Find the hidden field value in javascript and work your javascript code:
window.location.href = document.getElementByValue('hfNavUrl').value;
Update: Doing it w/o using controls
There are two ways about this. However, you'd have to embed the code in your page markup file (i.e. the *.aspx file). The javascript way is something like holding the url into a variable.
var url = '<%= Me.ResolveUrl("~/index.aspx") %>';
You can now make use of the value inside of this variable at a later point of time.
Alternatively, you can simply have a <a> element with its href set directly:
Home
Ps: Me.whatever is the vb.net way of doing things. Replace it with this if you are working with c#
Try using "window.location.replace('/index.aspx')"
You issue will be resolved by one of the below solutions from java script by providing the type of application.
If Application created as Website
windows.location='/index.aspx';
and
If Application created as Virtual directory
windows.location='/[Virtual Directory Name of Root Folder]/index.aspx';
I have an URL which links to a HTML docment, and i want to get objects of the document without load the URL in my browser. for instance, i have an URL named:
http://www.example.com/,
how can i get one object (i.e., by getElementsbyTagName) of this document?
You can't. You can omit, at best, extraneous files being linked to from within the document like javascript or css, but you can't just grab one part of the document.
Once you have the document, you can grab out of it a section, but you can't just grab a section without getting the whole thing first.
It's the equivalent of saying that you want the 2nd paragraph of an essay. Without the essay, you don't know what the 2nd paragraph is, where it starts or ends.
Is this document in the same domain, or a different domain as the security domain your javascript is running in.
If it's in the same domain, you have a couple options to explore.
You could load the page using an XMLHttpRequest, or JQuery.get, and parse the data you're looking for out of the HTML with an ugly regular expression.
Or, if you're feeling really clever, you can load the target document into a jsdom object, jQuerify it, and then use the resulting jquery object to access the date you're looking for with a simple selector.
If the url is on the same domain you can use .load() for example:
$("some_element").load("url element_to_get")
See my example - http://jsfiddle.net/ajthomascouk/4BtLv/
On this example it gets the H1 from this page - http://jsfiddle.net/ajthomascouk/xJdFe
Its hard to show using jsfiddle, but I hope you get the gist of it?
Read more about .load() here - http://api.jquery.com/load/
Using Ajax calls, I guess.
This is long to explain if you have never used XHR, so here's a link: https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/Using_XMLHttpRequest
Another option is to construct an iframe using
var iframe = document.create('iframe');
iframe.src = 'http://...';