1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Is this really vulnerable to an XSS attack?

Discussion in 'Security' started by Maestroc, Jan 30, 2018.

  1. #1
    I have a form on the mobile version of a page on my site that starts with this HTML:
    SEMrush
    <select id="selectItemToUrl" onchange="if (this.value) window.location.href=this.value">
    <option value="contact-us">Ball</option>
    --lots more options below----


    But when I try to save it my hosting company's firewall blocks me from saving it saying that an XSS attack was detected. Is using this kind of redirect just causing a false positive or am I really leaving my site open to an XSS attack if I use this redirect?
     
    Maestroc, Jan 30, 2018 IP
    SEMrush
  2. Starmarshal

    Starmarshal Peon

    Messages:
    3
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    1
    #2
    it's depends on the form on your site. For exmple, if it generates with help of php framework and can be filled through the GET, so then it can be xss. If it static and not working with user requests you shouldn't worry.
     
    Starmarshal, Aug 5, 2019 IP
  3. nikunj patel

    nikunj patel Active Member Premium Member

    Messages:
    168
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    96
    #3
    It's not that much critical issue with Static site, for the dynamic site, there is deferent kind of XSS vulnerability, its critical issue if attacker able to inject command ( XSS Command injection )
     
    nikunj patel, Aug 6, 2019 IP
  4. deathshadow

    deathshadow Acclaimed Member

    Messages:
    8,926
    Likes Received:
    1,625
    Best Answers:
    232
    Trophy Points:
    515
    #4
    Regardless of if it's a security issue, you're taking a huge dump on accessibility with that since scripting off, you have no navigation. /FAIL/ at web development. You want <option> that behave like <a>nchors, use a bunch of anchors and then use CSS to mimic the behavior of a dropdown! This type of navigation isn't even JavaScript's flipping JOB!

    
    <div class="anchorSelect">
    	<input type="checkbox" id="anchorSelect_1" hidden>
    	<h2><label for="anchorSelect_1">Select Page</label></h2>
    	<ul>
    		<li><a href="contact-us">Contact Us</a></li>
    		<li><a href="contact-us">Contact Us</a></li>
    		<li><a href="contact-us">Contact Us</a></li>
    		<li><a href="contact-us">Contact Us</a></li>
    		<li><a href="contact-us">Contact Us</a></li>
    		<li><a href="contact-us">Contact Us</a></li>
    		<li><a href="contact-us">Contact Us</a></li>
    	</ul>
    <!-- .anchorSelect --></div>
    
    Code (markup):
    /*
    	Assumes a reset is in use, so all margins/paddings are zero
    */
    .anchorSelect {
    	position:relative;
    	display:inline-block;
    	font:normal 1em/1.5em arial,helvetica,sans-serif;
    }
    
    .anchorSelect h2 {
    	display:inline-block;
    	font:normal 1em/1.5em arial,helvetica,sans-serif;
    }
    
    .anchorSelect h2 label {
    	display:block;
    	background:#FED;
    	padding:0.25em 0.5em;
    	border:1px solid #000;
    }
    
    .anchorSelect h2 label:after {
    	content:"\25BC";
    	padding-left:0.5em;
    }
    
    .anchorSelect ul {
    	box-sizing:border-box;
    	list-style:none;
    	position:absolute;
    	left:-999em;
    	top:2em;
    	min-width:100%;
    }
    
    .anchorSelect input:checked ~ ul {
    	left:0;
    	background:#EEE;
    	border:1px solid #000;
    }
    
    .anchorSelect input:checked + h2 label:before {
    	content:"";
    	position:fixed;
    	top:0;
    	left:0;
    	width:100%;
    	height:100%;
    }
    
    .anchorSelect a {
    	display:block;
    	padding:0.25em 0.5em;
    	text-decoration:none;
    	color:#000;
    }
    
    .anchorSelect a:active,
    .anchorSelect a:focus,
    .anchorSelect a:hover {
    	background:#00C;
    	color:#FFF;
    }
    
    Code (markup):
    No scripting needed, gracefully degrades so the anchors will still work even when CSS isn't available, and you can style it however you like unlike OPTION. The "hidden" attribute making the "abuse" of an INPUT checkbox no longer an accessibility woe.
     
    deathshadow, Aug 6, 2019 IP
  5. qwikad.com

    qwikad.com Illustrious Member Affiliate Manager

    Messages:
    5,853
    Likes Received:
    1,085
    Best Answers:
    22
    Trophy Points:
    400
    #5
    css only dropdowns don't work well on mobiles. They open just fine but can't be closed. I prefer css/checkbox ones. May use yours in some of my projects if you don't mind.
     
    qwikad.com, Aug 6, 2019 IP
  6. deathshadow

    deathshadow Acclaimed Member

    Messages:
    8,926
    Likes Received:
    1,625
    Best Answers:
    232
    Trophy Points:
    515
    #6
    Mine can. Tap either the text that opens it, or anywhere outside the dropdown. :D

    that's what the :before generated content is for. Position:fixed full screen so clicking anywhere outside the absolute positioned UL will close it.

    Was actually one of my biggest complaints, so rather than continuing to complain about it, I did something about it.

    This could also be leveraged so that on small displays it opens as a modal. I've been using that trick more and more with hamburger menus as it seems far more useful to have a styled modal than try to drop-down or insert the content on the page.

    -- edit -- oh wait, you meant ones that rely on just :hover, didn't you? Yeah, those suck in the age of touch interfaces. We can do better!

    Oh, and...

    I don't post code online for it not to be used. :D
     
    Last edited: Aug 6, 2019
    deathshadow, Aug 6, 2019 IP
  7. bountysite

    bountysite Member Premium Member

    Messages:
    42
    Likes Received:
    1
    Best Answers:
    1
    Trophy Points:
    33
    #7
    I know this is a old post. Just for information.

    this.value can be easily manipulated on the client side and can be used to redirect to a malicious site.
    With this code snippet, cant tell precisely. It is possible to generate a link having your website, but clicking can redirect to a malicious site.
    So, imagine a mail asking users to reset password but with a manipulated link. All users who click on the link will get infected.
     
    bountysite, Aug 20, 2019 IP
  8. Ron Peters

    Ron Peters Greenhorn

    Messages:
    36
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    8
    #8
    Your HTML tags on the back-end need to be encoded to mitigate XSS vulnerability. It those tags are already encoded then it's likely a false positive
     
    Ron Peters, Aug 23, 2019 IP