Is this jQuery ajax call vulnerable to XSS?

Question

If somebody can edit $("#field").val(), can they change the url property here to point to another location?

$.ajax({
  url: "http://mywebsite/script?param=" + $("#field").val(),
  dataType: "jsonp",
  success: function(response) {
      document.write(/*fields from response object*/);
  },
 });

If they can then my page is XSS vulnerable since the malicious location could return script tags in the response object. I want to know if any value of field could be used to change the AJAX url.

Update

My apologies, I have updated the question. The value is actually contained in a javascript variable and is not directly written by php (otherwise there is obviously XSS issues). Sorry.

I think we would need to see the code of your server side `script`. Also, those files referenced by `fname`, are they HTML files, or plain text? — 700 Software, Jan 19 '12 at 13:40
fname is just any parameter entered by the user eg from a `GET` request. — Kevin, Jan 19 '12 at 13:47
Yes, but I suspect that based on what they enter into fname, results will come out. What do those results look like? — 700 Software, Jan 19 '12 at 16:18
Wow thats an obvious xss flaw. Perhaps you should brush up on the basics before burdening others with such questions. — rook, Jan 19 '12 at 16:30

Krzysztof Kotowicz · Accepted Answer · 2012-01-19T22:45:15.323

Yes it is vulnerable, but not it the way you suspect. The attacker would not try modify the loaded URL, but to execute the code directly. For example:

$_GET['fname'] = '"+(function(){/*any_code_i_like*/})()+"';

will become:

$.ajax({
   url: "http://mywebsite/script?param="+(function(){/*any_code_i_like*/})()+""

and the code will execute even before requesting the URL with ajax. It's just an example, there are other vectors that would work here too. The simplest way to escape the parameter to prevent XSS in this context would be using urlencode() in PHP like this:

$.ajax({
  url: "http://mywebsite/script?param=<?php echo urlencode($_GET["fname"]); ?>"
  dataType: "jsonp",
  success: function(response) {
      document.write(/*fields from response object*/);
  },
 });

Also, take a look at OWASP XSS Prevention Cheat Sheet.

Update: After you updated the question - there is no XSS vulnerability here (you can't e.g. point the request to another domain), but the example is vulnerable to a different beast - HTTP parameter polution. It might not matter in this exact case, but imagine that the given parameter is:

a_valid_value&param=another_param_injected

The attacker is able to inject additional HTTP GET parameters which might be important for your application and might change the execution flow (e.g. parameter admin=1). You should get into habit of escaping/encoding everything coming from user input. In this modified case you should use Javascript encodeURIComponent function which prevents attacker from injecting '&','=' and '?':

"http://mywebsite/script?param=" + encodeURIComponent($("#field").val()),

Hi, thanks for answering my question. I actually realised that the input is not directly added by php, see update. — Kevin, Jan 19 '12 at 21:57

Is this jQuery ajax call vulnerable to XSS?

1 Answers1