Is the javascript in url executable?

320    Asked by GillianHamer in Java , Asked on Oct 11, 2022

 I am learning about "Session fixation" and have read the corresponding OWASP page.


In their Example 2 in the above page, they describe an attack via JavaScript, that is embedded in the URL like:


http://website.kom/[removed][removed]=”sessionid=abcd”;[removed]

I tried this with an embedded [removed]alert("XSS!!");[removed], but as expected, it did not work.


Is there ANY way an URL can run embedded JavaScript?


Note: This question is somewhat similar to Execute reflected XSS in URL, but I am talking about scripts in the URL, not from a HTTP header.


Answered by Jonathan Skinner

A URL cannot run anything. A javascript in URL is just a string. How an URL can be used or abused depends on the context and application where it is used.


Your specific case is about an XSS vulnerability in the web application where parts of the URL were embedded in the HTML page in a context which triggered the execution. Without such vulnerability no execution would happen.



Your Answer

Online Course

Tutorials

Salesforce Tutorial

Software Testing Tutorial

SQL Tutorial

Business Analyst Tutorial

Devops Tutorial

Data Science Tutorial

AWS Tutorial

Hadoop Tutorial

SSRS Tutorial

AWS S3 Tutorial

Functional Testing Tutorial

SSAS Tutorial

Automation Testing Tutorial

Manual Testing Tutorial

Selenium Tutorial

Kubernetes Tutorial

Scala Tutorial

ETL Testing Tutorial

Python Tutorial

Pyspark Tutorial

R Tutorial

Unit Testing Tutorial

API Testing Tutorial

Puppet Tutorial

Integration Testing Tutorial

Chef Tutorial

Jenkins Tutorial

Ansible Tutorial

Vagrant Tutorial

Docker Tutorial

Interviews

Parent Categories

Copyright | JanBaskTraining.com