-
Notifications
You must be signed in to change notification settings - Fork 69
Set location sink
window.location (or document.location) and its members can be a source and a sink [1].
The window.location object can be used to take the browser to another page by simply assigning a string to it.
E.g.
window.location = "http://example.com/a/page.ext?par=val#hash"locationlocation.hreflocation.pathnamelocation.searchlocation.protocollocation.hostname
An unvalidated assignment to each of the listed objects could lead, to some extent, to security issues.
(TBF)
Important Note Internet Explorer 8 will decode entities to their original values if they are somewhere present in the left value.
E.g.
location="javascript:alert(1)";: (or its decimal analogue :) will be converted to :.
Other browsers like Firefox (3.6), Opera (10), Chrome (5), Safari (5) don't replace entities to their converted chars.
(TBF)
Location dangerous methods are:
location.assignlocation.replace
E.g.
taintedVariable=location.href.split("#")[1];
location.assign(taintedVariable);The following table contains sink methods and the arguments where a untrusted value could lead to security issues.
| Method | Tainted Argument Position |
|---|---|
location.assign |
1 |
location.replace |
1 |
(TBA)
- Home
- Sources
-
Sinks
- Direct Execution Sinks
- Set Object Sinks
- HTML Manipulation Sinks
- Style Sinks
- XMLHttpRequest Sink
- Set Cookie Sink
- Set Location Sink
- Control Flow Sink
- [Use of Equality And Strict Equality](Use of Equality And Strict Equality)
- Math.random Sink
- JSON Sink
- XML Sink
- [Common JavaScript libraries](Common JavaScript libraries)
- String Manipulation Methods
- Local DOMXSS
- Finding DOMXSS
- Object Shadowing
- Filters
- Glossary
- References