Can I safely use user data when redirecting to an url on my own domain?
Assume that I own example.com
. If normal usage of my app would require me to redirect users to urls like this at times, is this ok?
https://example.com/ + userData
Is there anyway this can be used to do an exploit, and run javascript for example? or redirect to some completely different domain?
For the purposes of this discussion, I'd like to:
You can assume I'm doing no encoding of the parameter I received from the user at all.
EDIT: Clarification - the userData
isn't added to the page in anyway - it only resides in the url itself.
As mentioned in the comments this scenario doesn't seem to be exploitable with the javascript:
(or data:
, which can also be used to execute JavaScript) pseudo protocol. However, it may be possible to perform a reflected XSS attack, if example.com
outputs userData
on a custom 404 page. Lets assume that this page displays an error message:
<h1>Page 'userData' not found.</h1>
In this case, if an attacker submits a JavaScript payload (eg: <script>alert('xss');</script>
), it will be rendered on the page,
<h1>Page '<script>alert('xss');</script>' not found.</h1>
and the code may be executed by a visitor. This attack can be prevented by filtering the user data - user input should always be sanitized anyway.
An open redirect exploit does not seem very likely because the user input is appended to the domain, and exploit attempts should result in a 404 response. Of course, if there are other local pages that allow any redirects, then an attacker could use them in their payload, eg:
vulnerable/page?url=http://attacker.com
Note that just because I can't confirm an exploit that doesn't mean that the code isn't vulnerable, depending on the server configuration. We can prevent open redirect exploits by filtering user data based on a list of valid and trusted locations. This may also help with several other attacks targeting the server, such as directory traversal, file inclusion and server side request forgery attacks.
Attacker may send email pretending to be mail from your site and inject the link alike (I assume “jumper.php” is a page that has single url parameter with target url, that may contain user data):
To verify your account please follow this link:
http://example.com/jumper.php?url=http%3A%2F%2Fexample-my.com
In that case, user will see in the mail link started with http://example.com
and may assume that this is valid link to your site, but actually he will be redirected to http://example-my.com
that may be controlled by attacker (and looks much like your site).
If page contains code like this (php example):
<script>location.replace(<?= json_encode($userData) ?>);</script>
Then, even variable is properly sanitized, attacker may execute arbitrary javascript code in context of http://example.com
with redirection to javascript:...
. For example:
To verify your account please follow this link:
http://example.com/jumper.php?url=javascript%3Aalert%28document.cookie%29
In that case, redirection will transform to
<script>location.replace("javascript:alert(document.cookie)");</script>
and code javascript:alert(document.cookie)
(as example) will be executed in context of http://example.com
. Sure, attacker may do much more poverfull things with injection arbitrary javascript code code.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With