Reputation: 11
Can using the HREF with jQuery be vulnerable to XSS?
Burp suite showing error.
The application may be vulnerable to DOM-based cross-site scripting. Data is read from location and passed to jQuery() via the following statement: here location is javascript location object containing current address hash jQuery(location).attr('href').split("//")[1]; is the above code vulnerable to cross site scripting?
It is used in the following code
var address = jQuery(location).attr('href').split('//')[1];
subdomain = address.split('.')[0];
this.href = this.href.replace(subdomain, 'www');
window.location = this.href;
Upvotes: 1
Views: 2957
Answers (1)
Reputation: 20944
Seems to be a false positive error. Others have had similar expierences.
A person from the Burp suite Support Center said the following:
The code is very close to being exploitable. If it was:
$(location).attr(‘href’, ‘’ + var1 + ’/’);And var1 could be controlled by an attacker, they could inject “javascript:alert(document.domain)” and that would be executed. However, prepending the slash will prevent this.
Our static analysis is likely to produce false positives on similar patterns, as we don’t attempt to do string analysis.
So as long as you don't allow variables into your href attribute then you'll be fine. In this case you only seem to read the href attribute value.
Upvotes: 2
Related Questions
- Is it possible to perform a XSS attack using jQuery's .attr("href", value) method for <a> tags?
- Can a link pointing to a URL starting with javascript:// execute any code?
- JavaScript to a href troubles
- Using JQuery within an HREF link
- Preventing XSS when using .attr('href', url) in jQuery
- href security, prevent xss attack
- Using jQuery inside of an href tag
- Using jQuery with a href
- using href in jquery script
- It is wrong or a bad practice to use "javascript://" as links to prevent action?