[英]Why setting window.location.href to session storage item value is considered a DOM XSS vulnerability?
Fortify SCA reports that the following code is DOM XSS vulnerable: Fortify SCA 报告以下代码存在 DOM XSS 漏洞:
const returnUrl = sessionStorage.getItem('returnUrl') || '/';
window.location.href = returnUrl;
When a user enters my application by clicking a link for example, and the user is not logged in:例如,当用户通过单击链接进入我的应用程序并且用户未登录时:
window.location.href
into returnUrl
item in session storagewindow.location.href
存储到 session 存储中的returnUrl
项中window.location.href
to an external login pagewindow.location.href
设置为外部登录页面logged-in.html
page of my app.logged-in.html
页面。logged-in.html
contains the above code, setting window.location.href
to the value stored in returnUrl
item of session storage. logged-in.html
包含上述代码,将window.location.href
设置为 session 存储的returnUrl
项中存储的值。 Why is this vulnerable?.为什么这很脆弱? How can I mitigate it?
我怎样才能减轻它?
EDIT: I din't execute Fortify, an external company did it, and reported the following:编辑:我没有执行 Fortify,是一家外部公司执行的,并报告了以下内容:
CWE-80. CWE-80。 Input Validation and Representation: Cross-Site Scripting: DOM
输入验证和表示:跨站点脚本:DOM
How can I mitigate it?
我怎样才能减轻它?
Don't store a full URL, just store the necessary information (such as a page name, or even an enum-like value that identifies the page to go to).不要存储完整的 URL,只存储必要的信息(例如页面名称,甚至是将页面标识为 go 的类似枚举的值)。 Then, when going back to the page, validate the data from session storage before building a URL from only known values and validated values:
然后,当返回页面时,在仅从已知值和验证值构建 URL 之前,验证 session 存储中的数据:
const returnInfo = JSON.parse(sessionStorage.getItem("returnUrl"));
if (returnInfo && validatePageName(returnInfo.pageName) && /*...*/) {
window.location.href = "/" + returnInfo.pageName; // Or similar
}
...where validatePageName
ensures that the string passed to it is just the name of a page in your app, and not (for instance) a full URL. ...其中
validatePageName
确保传递给它的字符串只是您应用程序中页面的名称,而不是(例如)完整的 URL。
Or if that's too much of a change, at least validate the URL before using it:或者,如果变化太大,请至少在使用前验证 URL:
const returnUrl = new URL(
sessionStorage.getItem("returnUrl") || "/"),
location
);
if (
returnUrl.protocol === location.protocol &&
returnUrl.port === location.port &&
returnUrl.hostname === location.hostname &&
/*...other checks as necessary ...*/
) {
window.location.href = returnUrl;
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.