Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Redirects can be used for XSS #24

Closed
fprochazka opened this issue Nov 13, 2014 · 7 comments
Closed

Redirects can be used for XSS #24

fprochazka opened this issue Nov 13, 2014 · 7 comments

Comments

@fprochazka
Copy link
Contributor

If the attacker finds a hole, where he can provide an URL that is passed directly to Http\Response::redirect(), then he's able to create XSS.

for example

/some/page?redirect=%0Ajavascript:alert(/xss/)

Which executes to

public function actionPage($redirect)
{
    $this->redirectUri($redirect);
}

The browser won't redirect, because it's not a valid url, but HTML will be printed

Location: %0Ajavascript:alert(/xss/)


<h1>Redirect</h1>

<p><a href="
javascript:alert(/xss/)">Please click here to continue</a>.</p>

This happened to us in our mailing click-through counter.

Also relevant http://forum.nette.org/cs/21315-parsovani-absolutni-url-routerem-aplikace#p146150
@fprochazka fprochazka changed the title Redirects can be easily used for XSS Redirects can be used for XSS Nov 13, 2014
@dg
Copy link
Member

dg commented Nov 13, 2014

Can you fix it?

@fprochazka
Copy link
Contributor Author

I suppose this should have a similar behaviour as Latte, when there is a variable in <a href>, right?

@JanTvrdik
Copy link
Contributor

Maybe Validators::assert($url, 'url') will be enough.

@dg dg closed this as completed Nov 14, 2014
@dg dg reopened this Nov 14, 2014
@dg
Copy link
Member

dg commented Nov 14, 2014

@JanTvrdik url may be relative

@dg
Copy link
Member

dg commented Nov 14, 2014

(Why is „Close issue“ 3px near from „Comment“ dear @github? #uxfail)

@mishak87
Copy link

@fprochazka Latte regex for quick fix :)

@mishak87
Copy link

@dg It could be useful as Validators::isSafeUrl for checking before redirecting should I make a pull?

@dg dg closed this as completed in 44d58c4 Nov 14, 2014
dg added a commit that referenced this issue Nov 15, 2014
@dg
Response::redirect() link is printed only for https? protocols [Closes
63a96f1 
…#24]
dg added a commit to nette/nette that referenced this issue Nov 15, 2014
@dg
Response::redirect() link is printed only for https? protocols [Closes
0880d51 
…nette/http#24]
dg added a commit that referenced this issue Nov 15, 2014
@dg
Response::redirect() link is printed only for https? protocols [Closes
88e0ba8 
…#24]
dg added a commit to nette/nette that referenced this issue Nov 15, 2014
@dg
Response::redirect() link is printed only for https? protocols [Closes
789ea26 
…nette/http#24]
dg added a commit to nette/nette that referenced this issue Nov 18, 2014
@dg
Response::redirect() link is printed only for https? protocols [Closes
0138026 
…nette/http#24]
dg added a commit to nette/nette that referenced this issue Dec 22, 2014
@dg
Response::redirect() link is printed only for https? protocols [Closes
1fd535d 
…nette/http#24]
dg added a commit to nette/nette that referenced this issue Dec 22, 2014
@dg
Response::redirect() link is printed only for https? protocols [Closes
de6d001 
…nette/http#24]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@fprochazka @JanTvrdik @dg @mishak87