Ways to insert javascript into URL

Question

Duplicate of      What common web exploits should I know about    This is a security question    What should I look for in URL that prevents hacking   Is there a way to execute javascript by passing it inside a URL    As you can see I m pretty new to this concept    Any good posts on this stuff

User · Answer

The key to this is examining any information you recieve and then display and/or use in code on the server. Get/Post form variables if they contain javascript that you store and later redisplay is a security risk. As are any thing that gets concatenated unexamined into a sql statement you run.

One potential gotcha to watch for are attacks that mess with the character encoding. For instance if I submit a form with utf-8 character set but you store and later display in iso-8859-1 latin with no translation then I might be able to sneak something past your validator. The easiest way to handle this is to always display and store in the same character set. utf-8 is usually a good choice. Never depend on the browser to do the right thing for you in this case. Set explicit character sets and examine the character sets you recieve and do a translation to the expected storage set before you validate it.

User · Answer

Javascript in URL will not be executed  on its own  That by no way means its safe or to be trusted    A URL is another user input not to be trusted  GET or POST  or any other method for that matter  can cause allot of severe vulnerabilities    A common example was is the use of the PHP SELF  REQUEST URI  SCRIPT NAME and similar variables  Developers would mistakenly echo them directly to the browser which led to the script being injected into the page and executed     I would suggest you start to do allot of reading  these are some good places to start   OWASP  XSS Cheat Sheet  XSS Prevention Cheat Sheet  Also google around for XSS  cross site scripting   XSRF  Cross Site Request Forgery   and SQL Injection  That will get you started  but it is allot of information to absorb so take your time  It will be worth it in the long run

User · Answer

old question that I stumbled into that I believe deserves an update    You can infact execute javascript from the URL  and you can get creative about it too  I recently made a members only area that I wanted to remind someone what their password was  so I was looking for a non-local alert   of course you can embed an alert into the page itself  but then its public  the difference here is I can create a link and slip some JS into the href so clicking on the link will generate the alert   here is what I mean      lt a href  javascript alert  the secret is to ask    window location replace  http   google com     gt You can have anything lt  a gt    and so upon clicking the link  the user is given an alert with the info  then they are taken to the new page   obviously you could also write an onClick  but the href works just fine when you slip it through the URL  just remember to prepend it with  javascript     works in chrome  didnt check anything else

User · Answer

JavaScript injection is not at attack on your web application   JavaScript injection simply adds JavaScript code for the browser to execute   The only way JavaScript could harm your web application is if you have a blog posting or some other area in which user input is stored   This could be a problem because an attacker could inject their code and leave it there for other users to execute   This attack is known as Cross-Site Scripting   The worst scenario would be Cross-Site Forgery  which allows attackers to inject a statement that will steal a user s cookie and therefore give the attacker their session ID

User · Answer

It depends on your application and its use as to the level of security you need   In terms of security  you should be validating all values you get from the querystring or post parameters  to ensure they re valid   You may also wish to add logging for others  including analysis of weblogs so you can determine if an attempt to hack your system is occuring   I don t believe it s possible to inject javascript into a URL and have this run  unless your application is using parameters without validating them first

User · Answer

If the link has javascript   then it will run javascript  otherwise  I agree with everyone else here  there s no way to do it   SO is smart enough to filter this out

User · Answer

I don t believe you can hack via the URL  Someone could try to inject code into your application if you are passing parameters  either GET or POST  into your app so your avoidance is going to be very similar to what you d do for a local application   Make sure you aren t adding parameters to SQL or other script executions that were passed into the code from the browser without making sure the strings don t contain any script language  Search the next for details about injection attacks for the development platform you are working with  that should yield lots of good advice and examples

User · Answer

Javascript can be executed against the current page just by putting it in the URL address  e g   javascript  alert window document body innerHTML   javascript  alert window document body childNodes 0  innerHTML

User · Answer

I believe the right answer is  it depends     As others have pointed out  if the web application that is processing your request is naively receiving and echoing back the received payload or URL parameters  for GET requests  then it might be subject to code injection   However  if the web application sanitizes and or filters payload parameters  it shouldn t be a problem   It also depends on the user agent  e g  browser   a customized user agent might inject code without user notice if it detects any in the request  don t know of any public one  but that is also possible

[security] Ways to insert javascript into URL?

Examples related to security

Examples related to url