Menu
This question is relating to the code window.location = window.location as a method to refresh the page and is not concerned with redirections / other variables.
My understanding is as follows:
window.location = window.location causes the page to refresh, as the browser will navigate to the same location the user is already on.
Any change to this variable via DOM manipulation will cause the page to reload/load the attackers page, thus these lines will not able to be executed with an altered value and so are not a candidates for cross site scripting attacks.
Is this correct?
Edit: What I'm really asking is if there is a way to change window.location without causing a page reload, so that then when the window.location = window.location call is made, the browser will be sent to another location.
553
So if I understand what you were asking correctly, none of these answers are correct. It is possible to leverage the window.location to perform xss. It seemed like the roadblock you were running into was with the fact that after the window.location line executed the page would refresh and skip the execution of yourpayload. I'm assuming that you are able to somhow introduce contents into a string on the right side of window.location, and the input is not being properly encoded as a JavaScript string.
For example if http://vulnerablewebsite/page?param=derp';alert('xss');var+a+%3d+' results in code like:
<script>
window.location='derp';alert('xss');var a = '';
</script>
You can just leverage string concatenation to defer the assignment to window.location until after your payload has been executed. So something like:
http://vulnerablewebsite/page?param=derp'+%2B+alert('xss')+%2b+'
would result in the following code that executes your payload.
<script>
window.location='derp' + alert('xss') + '';
</script>
This should really be in the security StackExchange though.
84
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
