Duplicate of:
This is a security question.
What should I look for in URL that prevents hacking?
Is there a way to execute javascript by passing it inside a URL?
As you can see I'm pretty new to this concept.
Any good posts on this stuff?
JavaScript injection is not at attack on your web application. JavaScript injection simply adds JavaScript code for the browser to execute. The only way JavaScript could harm your web application is if you have a blog posting or some other area in which user input is stored. This could be a problem because an attacker could inject their code and leave it there for other users to execute. This attack is known as Cross-Site Scripting. The worst scenario would be Cross-Site Forgery, which allows attackers to inject a statement that will steal a user's cookie and therefore give the attacker their session ID.
Javascript can be executed against the current page just by putting it in the URL address, e.g.
javascript:;alert(window.document.body.innerHTML);
javascript:;alert(window.document.body.childNodes[0].innerHTML);
It depends on your application and its use as to the level of security you need.
In terms of security, you should be validating all values you get from the querystring or post parameters, to ensure they're valid.
You may also wish to add logging for others, including analysis of weblogs so you can determine if an attempt to hack your system is occuring.
I don't believe it's possible to inject javascript into a URL and have this run, unless your application is using parameters without validating them first.
old question that I stumbled into that I believe deserves an update... You can infact execute javascript from the URL, and you can get creative about it too. I recently made a members only area that I wanted to remind someone what their password was, so I was looking for a non-local alert...of course you can embed an alert into the page itself, but then its public. the difference here is I can create a link and slip some JS into the href so clicking on the link will generate the alert.
here is what I mean >>
<a href="javascript:alert('the secret is to ask.');window.location.replace('http://google.com');">You can have anything</a>
and so upon clicking the link, the user is given an alert with the info, then they are taken to the new page.
obviously you could also write an onClick, but the href works just fine when you slip it through the URL, just remember to prepend it with "javascript:"
*works in chrome, didnt check anything else.
If the link has javascript:, then it will run javascript, otherwise, I agree with everyone else here, there's no way to do it.
SO is smart enough to filter this out!
The key to this is examining any information you recieve and then display and/or use in code on the server. Get/Post form variables if they contain javascript that you store and later redisplay is a security risk. As are any thing that gets concatenated unexamined into a sql statement you run.
One potential gotcha to watch for are attacks that mess with the character encoding. For instance if I submit a form with utf-8 character set but you store and later display in iso-8859-1 latin with no translation then I might be able to sneak something past your validator. The easiest way to handle this is to always display and store in the same character set. utf-8 is usually a good choice. Never depend on the browser to do the right thing for you in this case. Set explicit character sets and examine the character sets you recieve and do a translation to the expected storage set before you validate it.
I believe the right answer is "it depends".
As others have pointed out, if the web application that is processing your request is naively receiving and echoing back the received payload or URL parameters (for GET requests) then it might be subject to code injection.
However, if the web application sanitizes and/or filters payload/parameters, it shouldn't be a problem.
It also depends on the user agent (e.g. browser), a customized user agent might inject code without user notice if it detects any in the request (don't know of any public one, but that is also possible).
Javascript in URL will not be executed, on its own. That by no way means its safe or to be trusted.
A URL is another user input not to be trusted, GET or POST (or any other method for that matter) can cause allot of severe vulnerabilities.
A common example was/is the use of the PHP_SELF, REQUEST_URI, SCRIPT_NAME and similar variables. Developers would mistakenly echo them directly to the browser which led to the script being injected into the page and executed.
I would suggest you start to do allot of reading, these are some good places to start:
Also google around for XSS (cross site scripting), XSRF (Cross Site Request Forgery), and SQL Injection. That will get you started, but it is allot of information to absorb so take your time. It will be worth it in the long run.
Source: Stackoverflow.com