Open Redirect vulnerability in javascriptjquery - Stack Overflow

admin管理员组

文章数量:1405377

I'm trying to sanitize my code to address all the Open Redirect vulnerabilities. For all my c# code I applied a fix to check if the URL supplied to Response.Redirect is from the same domain as the application. If not then throw an exception.

The question I have is about the open redirect instances in my .js code. The code flagged as vulnerable is:

window.open('Help/Admin/webhelp/' + helpFile, '_blank', 'toolbar=no, menubar=no, status=yes, scrollbars=yes, resizable=yes');

httpReqObject.open("GET", 'GetHelpLink.ashx?modid=' + _AdminHelpContext, true);

window.open('viewcontents.aspx?did=' + grid.rows[i].cells[gridCell.docID].innerText, "toobar=0,menubar=0,resizable=1")

What is the best way to address this Open Redirect vulnerability in my javascript code?

Thanks.

I'm trying to sanitize my code to address all the Open Redirect vulnerabilities. For all my c# code I applied a fix to check if the URL supplied to Response.Redirect is from the same domain as the application. If not then throw an exception.

The question I have is about the open redirect instances in my .js code. The code flagged as vulnerable is:

window.open('Help/Admin/webhelp/' + helpFile, '_blank', 'toolbar=no, menubar=no, status=yes, scrollbars=yes, resizable=yes');

httpReqObject.open("GET", 'GetHelpLink.ashx?modid=' + _AdminHelpContext, true);

window.open('viewcontents.aspx?did=' + grid.rows[i].cells[gridCell.docID].innerText, "toobar=0,menubar=0,resizable=1")

What is the best way to address this Open Redirect vulnerability in my javascript code?

Thanks.

• javascript
• jquery
• http-redirect

Share Improve this question Follow edited Nov 18, 2014 at 20:56 scunliffe 63.7k2626 gold badges131131 silver badges166166 bronze badges asked Nov 18, 2014 at 20:48 VinayVinay 34822 gold badges44 silver badges1717 bronze badges 3

• Where is the redirect? I only see clients issuing GET requests... – plalx Commented Nov 18, 2014 at 21:09
• plalx, I ran a HP Fortify code scan to check for any kind of vulnerability on my code base and aforementioned code was flagged for the "open redirect" vulnerability. I think partially because the portion of the path supplied to "window.open" is getting built dynamically and there's a potential of sneaking some malicious injection in that dynamic portion either to open a different page than the one I'm trying to open or breaking the desired functionality. – Vinay Commented Nov 19, 2014 at 15:37
• As far as I can tell, there is no way to prevent a client from requesting another URL. However, your server-side code must ensure that invalid requests do not get processed. – plalx Commented Nov 19, 2014 at 17:01

Add a ment  | 

1 Answer 1

Sorted by: Reset to default 3

Here's what I've e up with to address this issue. I agree this is not one of the most elegant solution and might need some refinements but it does satisfy my basic requirement of not allowing user to navigate to the URL that is out of the application domain:

    function LaunchHelp(surl) {
        try {            
            if (validateURL(surl))
                window.open(surl, '_blank', 'toolbar=no,menubar=no,status=yes');
            else {
                throw new InvalidURLException();
            }
        } catch (e) {
            if (e instanceof InvalidURLException)
                alert(e.message);
        }
    }

    function InvalidURLException() {            
        this.message = "An attempt was made to open a webpage of foreign domain. No allowed.";
        this.toString = function() {
            return this.message
        };
    }

    function validateURL(surl) {
        var url = parseURL(surl);
        var urlHostname = url.hostname.trim();

        if (urlHostname == '') {
            return true;
        }
        else {
            if (urlHostname.toUpperCase() == location.hostname.trim().toUpperCase()) {
                return true;
            }
            else
                return false;
        }            
    }

    function parseURL(url) {
        var a = document.createElement('a');
        a.href = url;
        return {
            source: url,
            protocol: a.protocol.replace(':', ''),
            hostname: a.hostname,
            host: a.host,
            port: a.port,
            query: a.search,
            params: (function () {
                var ret = {},
                    seg = a.search.replace(/^\?/, '').split('&'),
                    len = seg.length, i = 0, s;
                for (; i < len; i++) {
                    if (!seg[i]) { continue; }
                    s = seg[i].split('=');
                    ret[s[0]] = s[1];
                }
                return ret;
            })(),
            file: (a.pathname.match(/\/([^\/?#]+)$/i) || [, ''])[1],
            hash: a.hash.replace('#', ''),
            path: a.pathname.replace(/^([^\/])/, '/$1'),
            relative: (a.href.match(/tps?:\/\/[^\/]+(.+)/) || [, ''])[1],
            segments: a.pathname.replace(/^\//, '').split('/')
        };
    } 

I had to check for hostname as empty string for the scenario where a relative path ('Help/Admin/webhelp/') is supplied to the LaunchHelp method. In this case the parseURL returns a blank hostname. I stole the "parseURL" method from here.

Any suggestions/ments/questions are most wele.

本文标签： Open Redirect vulnerability in javascriptjqueryStack Overflow