Cross Site Scripting issue with window.location.search

Question

I have been going through so many forums & wikipedia's since few days for trying to understand about XSS attacks alomost I have spent 2-3 days but still not get better idea as suggesting multiple solutions by experts & I want know how the hackers can inject malicious code on victims browser ? and my application have been use to run on some App Scanner standard testing tool so its caught so many XSS issues. I want put here one of XSS issue of my application so can please some one help me out to understand the what exactly I have to do for this issue. Still I have been trying a lot to get better understand about XSS issues. This is my code snippet

function getParameter(param) {
        var val = "";
        var qs = window.location.search;
        var start = qs.indexOf(param);
        if (start != -1) {
                start += param.length + 1;
                var end = qs.indexOf("&", start);
                if (end == -1) {
                        end = qs.length
                }
                val = qs.substring(start,end);
        }
        return val;
}

var formName = getParameter("formName");
var myValue = '<a href="javascript:parent.opener.assignDateIps( new Date(\''+year+'\',\''+month+'\',\''+thisDay+'\'), \''+contextstr+'\', \''+formName+'\' );window.close()" class="modulelink">'+thisDay+'</a></td>';
document.getElementById('calendarA').innerHTML = myValue;

And these statements are

var qs = window.location.search;
val = qs.substring(start,end);
var formName = getParameter("formName");
var myValue = '<a href="javascript:parent.opener.assignDateIps( new Date(\''+year+'\',\''+month+'\',\''+thisDay+'\'), \''+contextstr+'\', \''+formName+'\' );window.close()" class="modulelink">'+thisDay+'</a></td>';
document.getElementById('calendarA').innerHTML = myValue;

cought by App scanner testing tool as possible code for XSS(Cross Site Scripting) issues but I am not sure how it is cause to XSS & how I can fix this issue now. Can anybody please provide insights on how this vulnerability can be fixed?

Answer 1

var myValue = '<a href="javascript:parent.opener.assignDateIps( new Date(\''+year+'\',\''+month+'\',\''+thisDay+'\'), \''+contextstr+'\', \''+formName+'\' );window.close()" class="modulelink">'+thisDay+'</a></td>';

This line doesn't have any escaping, it expects '(... \''+formName+'\' );...' to be a string. But it can become some other thing:

formName = "'); alert('I\'m free to do anything here'); (''+"

document.getElementById('calendarA').innerHTML = myValue;

Let's place such fragment into myValue:

... <img src=void onerror="alert('hacked')" /> ...

You can check it works:

document.querySelector('button').addEventListener('click', function () {
  document.querySelector('output').innerHTML = document.querySelector('textarea').value;
})

<textarea>... <img src=void onerror="alert('hacked')" /> ...</textarea>
<button>Go</button>
<output></output>

You should never trust any data passed by url string. Any site can place any link to you site. Some user clicks it, goes to your site, parameters are executed in context of your site, and attacker can do anything he wants to.

Answer 2

Nothing in the code you've shown us is vulnerable.

You are reading user input, so there is the potential to introduce a vulnerability there. That is probably what the tool you are using is detecting.

If your code is vulnerable, then it will be because of whatever you do with the value of formName next (in the code you haven't shown us).