I'm trying to sanitize my code to address all the Open Redirect vulnerabilities. For all my c# code I applied a fix to check if the URL supplied to Response.Redirect is from the same domain as the application. If not then throw an exception.
The question I have is about the open redirect instances in my .js code. The code flagged as vulnerable is:
window.open('Help/Admin/webhelp/' + helpFile, '_blank', 'toolbar=no, menubar=no, status=yes, scrollbars=yes, resizable=yes');
httpReqObject.open("GET", 'GetHelpLink.ashx?modid=' + _AdminHelpContext, true);
window.open('viewcontents.aspx?did=' + grid.rows[i].cells[gridCell.docID].innerText, "toobar=0,menubar=0,resizable=1")
What is the best way to address this Open Redirect vulnerability in my javascript code?
Thanks.
I'm trying to sanitize my code to address all the Open Redirect vulnerabilities. For all my c# code I applied a fix to check if the URL supplied to Response.Redirect is from the same domain as the application. If not then throw an exception.
The question I have is about the open redirect instances in my .js code. The code flagged as vulnerable is:
window.open('Help/Admin/webhelp/' + helpFile, '_blank', 'toolbar=no, menubar=no, status=yes, scrollbars=yes, resizable=yes');
httpReqObject.open("GET", 'GetHelpLink.ashx?modid=' + _AdminHelpContext, true);
window.open('viewcontents.aspx?did=' + grid.rows[i].cells[gridCell.docID].innerText, "toobar=0,menubar=0,resizable=1")
What is the best way to address this Open Redirect vulnerability in my javascript code?
Thanks.
Share Improve this question edited Nov 18, 2014 at 20:56 scunliffe 63.7k26 gold badges131 silver badges166 bronze badges asked Nov 18, 2014 at 20:48 VinayVinay 3482 gold badges4 silver badges17 bronze badges 3- Where is the redirect? I only see clients issuing GET requests... – plalx Commented Nov 18, 2014 at 21:09
- plalx, I ran a HP Fortify code scan to check for any kind of vulnerability on my code base and aforementioned code was flagged for the "open redirect" vulnerability. I think partially because the portion of the path supplied to "window.open" is getting built dynamically and there's a potential of sneaking some malicious injection in that dynamic portion either to open a different page than the one I'm trying to open or breaking the desired functionality. – Vinay Commented Nov 19, 2014 at 15:37
- As far as I can tell, there is no way to prevent a client from requesting another URL. However, your server-side code must ensure that invalid requests do not get processed. – plalx Commented Nov 19, 2014 at 17:01
1 Answer
Reset to default 3Here's what I've e up with to address this issue. I agree this is not one of the most elegant solution and might need some refinements but it does satisfy my basic requirement of not allowing user to navigate to the URL that is out of the application domain:
function LaunchHelp(surl) {
try {
if (validateURL(surl))
window.open(surl, '_blank', 'toolbar=no,menubar=no,status=yes');
else {
throw new InvalidURLException();
}
} catch (e) {
if (e instanceof InvalidURLException)
alert(e.message);
}
}
function InvalidURLException() {
this.message = "An attempt was made to open a webpage of foreign domain. No allowed.";
this.toString = function() {
return this.message
};
}
function validateURL(surl) {
var url = parseURL(surl);
var urlHostname = url.hostname.trim();
if (urlHostname == '') {
return true;
}
else {
if (urlHostname.toUpperCase() == location.hostname.trim().toUpperCase()) {
return true;
}
else
return false;
}
}
function parseURL(url) {
var a = document.createElement('a');
a.href = url;
return {
source: url,
protocol: a.protocol.replace(':', ''),
hostname: a.hostname,
host: a.host,
port: a.port,
query: a.search,
params: (function () {
var ret = {},
seg = a.search.replace(/^\?/, '').split('&'),
len = seg.length, i = 0, s;
for (; i < len; i++) {
if (!seg[i]) { continue; }
s = seg[i].split('=');
ret[s[0]] = s[1];
}
return ret;
})(),
file: (a.pathname.match(/\/([^\/?#]+)$/i) || [, ''])[1],
hash: a.hash.replace('#', ''),
path: a.pathname.replace(/^([^\/])/, '/$1'),
relative: (a.href.match(/tps?:\/\/[^\/]+(.+)/) || [, ''])[1],
segments: a.pathname.replace(/^\//, '').split('/')
};
}
I had to check for hostname as empty string for the scenario where a relative path ('Help/Admin/webhelp/') is supplied to the LaunchHelp method. In this case the parseURL returns a blank hostname. I stole the "parseURL" method from here.
Any suggestions/ments/questions are most wele.
发布者:admin,转转请注明出处:http://www.yc00.com/questions/1744300698a4567487.html
评论列表(0条)