-2

I am learning about "Session fixation" and have read the corresponding OWASP page.

In their Example 2 in the above page, they describe an attack via JavaScript, that is embedded in the URL like:

http://website.kom/<script>document.cookie=”sessionid=abcd”;</script>

I tried this with an embedded <script>alert("XSS!!");</script>, but as expected, it did not work.

Is there ANY way, an URL can run embedded JavaScript?

Note: This question is somewhat similar to Execute reflected XSS in URL, but I am talking about scripts in the URL, not from a HTTP header.

Anders
  • 64,406
  • 24
  • 178
  • 215
Marcel
  • 3,494
  • 1
  • 18
  • 35
  • 4
    It seems that you misunderstand the concept of xss. If you put a payload in the URL and the URL, or part of it, gets reflected in the page without any sanitization then yes, the JavaScript will execute. This attack is known as reflected xss, not session fixation, the owasp example is confusing because it mixes this 2 differents attacks ! In it, they are using an xss reflected vulnerability to perform a session fixation. A session fixation can exist without the need to be combined to an xss (and will mostly always do) – Xavier59 Nov 28 '19 at 14:47
  • Yes, it can contain executable code (of any kind, including javascript) since URL is a plain string data. No, it won't magically execute it since URL (as any other data stream) needs an interpreter to "do" stuff. – Xenos Nov 29 '19 at 15:45

3 Answers3

5

Is there ANY way, an URL can run embedded JavaScript?

A URL cannot run anything. A URL is just a string. How an URL can be used or abused depends on the context and application where it is used.

Your specific case is about an XSS vulnerability in the web application where parts of the URL where embedded in the HTML page in a context which triggered the execution. Without such vulnerability no execution would happen.

Anders
  • 64,406
  • 24
  • 178
  • 215
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • And the application it's used in often depends on the URL scheme (ie `javascript` pseudo-protocol will be directly interpreted by browser, and one might create a `js://` scheme and bind it in its OS to a javascript interpretor) – Xenos Nov 29 '19 at 15:44
0

A URL (Uniform Resource Locator) in general is compose of the destination host and the URI (Uniform Resorce Identifier). The URI can contains whatever, a string with delimiters /, a base64 encoding, a binary exploit, sql injections, and so on. The URI processing depends on the implementation of the server, having said this, in general web servers process the URI on specific format with the / delimiters and with the character ? for parameters and probably more options.

camp0
  • 2,172
  • 1
  • 10
  • 10
-1

Not that I know of, but there are vulnerabilities in URL parsing, for example uXSS CVE-2018-6128.

Basically on chrome on ios you could change the url state with JS and the browser domain origin check didnt work anymore, so you could XSS any bank or website through that.

Jonathan
  • 9
  • 3