Issue metadata
Sign in to add a comment
|
Security: window.location.href can be trigger of "unvalidated redirects and forwards vulnerability".
Reported by
nullbr...@gmail.com,
Dec 7 2016
|
||||||||||||||||||
Issue descriptionHi, I'm june. I think, I found vulnerability. I'm sorry If my report sounds rude, It is not my meaning. My english skill is not good. Please understand. :) VULNERABILITY DETAILS in "http://example.com" site. window.location.href = '/test' -> http://example.com/test window.location.href = '//test' is 'http://test'. it is not 'http://example.com//test' window.location.href = '///test' is 'http://test'. it is not 'http://example.com///test' window.location.href = '////test' is 'http://test'. it is not 'http://example.com////test' if the href value is '//google.com', you will not redirect to 'http://example.com//google.com' but 'http://google.com'. window.location.href = '//google.co.kr' is 'http://google.co.kr'. it is not 'http://example.com////test' It can be trigger of "unvalidated redirects and forwards vulnerability". (https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards) In this case, It will can be used to malicious purpose by attacker. url : http://example.com/something_url?returnUrl=//malwareUrl.com ------------------------------------------------------------------------------ <script> window.location.href='/<%=request.getParameter("returnUrl")%>'; </script> ------------------------------------------------------------------------------ => The webmaster maybe want to return to only his/her within domain. => But, It will redirect to "http://malwareUrl.com" I can't understand why it can be possible. I think It is vulnerability or little bug. But, If I'm wrong, please tell me what is purpose. Please Let me know why not 'http://example.com///google.com' but 'http://google.com' Thank you for reading my report. (Again, I'm sorry If my report sounds rude, It is not my meaning. I don't know english well) I'll wait for your answer. Have a nice day :) VERSION Chrome Version: [54.0.2840.99 m] Operating System: [Windows 7 Enterpise K SErvice Pack 1] REPRODUCTION CASE Please include a demonstration of the security bug, such as an attached HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE make the file as small as possible and remove any content not required to demonstrate the bug. It is not suitable html file. because It follows protocol of domain that to execute javascript. If I write html, It will move to "file://google.com", not "http://google.com" So, I can't include html file. and I don't have any web domain. I'm sorry.
,
Dec 7 2016
This behavior is working as intended. A HREF value starting with "//" is deemed a "Protocol-relative hyperlink" which adopts the protocol scheme of the containing markup and combines the remainder of the relative value with that base scheme. Typically, protocol-relative hyperlinks are used by web developers whose sites are available over multiple protocols (e.g. both HTTP and HTTPS) and who do not want to write conditional logic to match the protocol of the current page to the destination. This behavior is specified by Web Standards and cannot be changed. You are correct to note that Web Applications must be aware of this behavior and must not trust user-supplied inputs.
,
Dec 8 2016
Thank you for explaining to me. I have known A HREF starting with "://"(not only // include ':') is deemed a "Protocol-relative hyperlink". You think this content is only natural, but not to me.. I'm shocked.. I have misunderstood for about 10 years.... I think I need to read about Web Standards documents. Thanks again!! Thanks a lot. |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by nullbr...@gmail.com
, Dec 7 2016