javascript.browser.security.open-redirect.js-open-redirect
returntocorpAuthor
4,563
Download Count*
License
The application accepts potentially user-controlled input $PROP which can control the location of the current window context. This can lead two types of vulnerabilities open-redirection and Cross-Site-Scripting (XSS) with JavaScript URIs. It is recommended to validate user-controllable input before allowing it to control the redirection.
Run Locally
Run in CI
Defintion
rules:
- id: js-open-redirect
message: The application accepts potentially user-controlled input `$PROP` which
can control the location of the current window context. This can lead two
types of vulnerabilities open-redirection and Cross-Site-Scripting
(XSS) with JavaScript URIs. It is recommended to validate
user-controllable input before allowing it to control the redirection.
metadata:
interfile: true
cwe:
- "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
owasp:
- A01:2021 - Broken Access Control
asvs:
section: V5 Validation, Sanitization and Encoding
control_id: 5.5.1 Insecue Redirect
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v51-input-validation
version: "4"
category: security
confidence: HIGH
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
technology:
- browser
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
subcategory:
- vuln
likelihood: HIGH
impact: MEDIUM
languages:
- javascript
- typescript
severity: WARNING
mode: taint
pattern-sources:
- patterns:
- pattern-either:
- pattern-inside: >
$PROP = new URLSearchParams($WINDOW. ...
.location.search).get('...')
...
- pattern-inside: |
$PROP = new URLSearchParams(location.search).get('...')
...
- pattern-inside: >
$PROP = new URLSearchParams($WINDOW. ...
.location.hash.substring(1)).get('...')
...
- pattern-inside: >
$PROP = new
URLSearchParams(location.hash.substring(1)).get('...')
...
- pattern: $PROP
- patterns:
- pattern-either:
- pattern-inside: |
$PROPS = new URLSearchParams($WINDOW. ... .location.search)
...
- pattern-inside: |
$PROPS = new URLSearchParams(location.search)
...
- pattern-inside: >
$PROPS = new URLSearchParams($WINDOW. ...
.location.hash.substring(1))
...
- pattern-inside: |
$PROPS = new URLSearchParams(location.hash.substring(1))
...
- pattern: $PROPS.get('...')
- patterns:
- pattern-either:
- pattern-inside: |
$PROPS = new URL($WINDOW. ... .location.href)
...
- pattern-inside: |
$PROPS = new URL(location.href)
...
- pattern: $PROPS.searchParams.get('...')
- patterns:
- pattern-either:
- pattern-inside: >
$PROPS = new URL($WINDOW. ...
.location.href).searchParams.get('...')
...
- pattern-inside: |
$PROPS = new URL(location.href).searchParams.get('...')
...
- pattern: $PROPS
pattern-sinks:
- patterns:
- pattern-either:
- pattern: location.href = $SINK
- pattern: $THIS. ... .location.href = $SINK
- pattern: location.replace($SINK)
- pattern: $THIS. ... .location.replace($SINK)
- pattern: location = $SINK
- pattern: $WINDOW. ... .location = $SINK
- focus-metavariable: $SINK
- metavariable-pattern:
patterns:
- pattern-not: |
"..." + $VALUE
- pattern-not: |
`...${$VALUE}`
metavariable: $SINK
Examples
open-redirect.js
var hi = new URLSearchParams(window.location.search).get('gamer')
var hi1 = new URLSearchParams(window.location.search)
var hi2 = new URL(window.location.href)
var hi3 = new URL(location.href).searchParams.get('gamer');
function test1(userInput) {
//ruleid:js-open-redirect
location.href = hi;
//ruleid:js-open-redirect
location.href = hi1.get('gamer');
//ruleid:js-open-redirect
location.href = hi2.searchParams.get('gamer');
//ruleid:js-open-redirect
location.href = hi3;
}
function test4(userInput) {
// ok:js-open-redirect
location.href = `https://www.hardcoded.place/${userInput}`
// ok:js-open-redirect
location.href = "https://www.hardcoded.place/" + userInput;
}
Short Link: https://sg.run/3xRe