3

I was just looking at Dom based xss and wondering if hash value is written to a variable in javascript context can lead to Cross site scripting. The code looks something like this:

<script>
var myhash=window.location.hash;
</script>

Is the above code vulnerable to xss?

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
Sanchit Sharma
  • 331
  • 4
  • 9
  • No, it’s not. You should take a close look at how the typical exploit works and how an injected script can actually be executed. – Ry- Jun 22 '15 at 05:53
  • 1
    Currently no, but it depends on what happens to myhash. If you run it through an eval() or so it might be. – ndrix Jun 22 '15 at 06:04
  • @m1ke or even a simple "`document.write()`", or any element.append, or or or... – AviD Jun 22 '15 at 09:06

1 Answers1

2

XSS only happens when data is output.

In your code sample you are setting the variable myhash to the hash value in the address bar. As your code doesn't contain any sinks and your variable is not output, the above code, in isolation, is not vulnerable.

However, to check for XSS vulnerabilities you need to focus on output to your application rather than input. Here application encompasses both the server-side and client-side.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178