Menu
Looking through analytics, I saw that someone visited my cart page and added the following to the URL:
cart?wvstest=javascript:domxssExecutionSink(1,%2522%253Cbr%253E()locxss%2522)
What would this do, and should I be considered of any security issues?
610
The JavaScript built-in URL class provides a flexible interface that allows both to create and parse URLs . No networking methods requiring a URL object exist now. Strings are rather convenient for that. So, technically, you needn't always use URLs, but in some instances, they are handy. Let's dive into some details.
javascript: URLs can also be used in other contexts. You might use one as the target of a hypertext link, for example. Then when the user clicks on the link, the specified JavaScript code will be executed.
It's an attempt at injecting JavaScript by penetration tool Acunetix. The specfic attack is DOM based XSS (as shown by the function named domxssExecutionSink). If you were to echo the query parameter wvstest directly to the page, their JavaScript would have been executed.
Read more about XSS atacks (and how to mitigate them) at OWASP
79
It will pass the data to your server.
What happens next depends on your server side code.
If you were to read wvstest as a query string and then inject it (without proper sanitisation) into an HTML document, you would have an XSS security hole.
34
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
