Burp highlights DOM open redirection possible with code below. Could anyone explain if this is feasible? Many thanks!
var url = window.location.href;
url = url.replace(/(\?|\&)user_lang=[A-Za-z]{2}/, "");
window.location.href = url;
Most likely a false positive
Let's have a look at what the code exactly does: First, it reads the current URL, then it applies some Regular Expression to it, and finally it redirects to that URL. Burp recognizes this pattern and flags it as potential vulnerability.
Let's have a closer look at the regular expression: (\?|\&)user_lang=[A-Za-z]{2}
So the first match is either a ? or a &, followed by user_lang=, followed by two letters of either upper- or lower case. Here are some strings this would match to:
&user_lang=FO
?user_lang=sj
?user_lang=Oo
Once a match is found, it is replaced with nothing, and the user is redirected to the resulting URL. Let's look at an example:
https://example.com/?user_lang=ENsome/kind/of/url would rresult in a redirect to https://example.com/some/kind/of/url
This should generally not be a problem, as redirects to a different domain are not a problem using this method.
Related
I have the following route
$r->get('/select_folder/:mail')->to('mail#change_folder');
It works well almost every time but when the route contains the %2f sequence of characters, equivalent to / it works as if %2f is a path separatator instead of a escaped sequence.
This is an example input:
http://127.0.0.1:5000/select_folder/%5bGmail%5d%2fDestacados
This is part of the error:
None of these routes could generate a response for your GET request for /select_folder/[Gmail]/Destacados, maybe you need to add a new one?
I would like to know some way to get a parameter like this as an url part without using GET or POST parameters.
You can use wildcard placeholders to allow / to be part of the matched parameter.
$r->get('/select_folder/*mail')->to('mail#change_folder');
The reason why %2F is interpreted as a / is because the URL is decoded before being applied to routing.
Finally I have discovered how to use regular expressions to solve the problem.
$r->get('/select_folder/:folder'=>[folder=>qr/.*/])->to('mail#change_folder');
I made :folder match any character, now it is working.
I'm writing app using Google custom search engine.
I received my search engine ID XXXXXXXX219143826571:7h9XXXXXXX (most interesting part bold).
Now I'm trying to use NSURLQueryItem to embed my ID into URL by using:
let params = ["cx" : engineID,...]
...
components.queryItems = parameters.map {
NSURLQueryItem(name: String($0), value: String($1))
}
It should percentage escape item to XXXXXXXX219143826571%3A7h9XXXXXXX (This value I'm getting when using Google APIs explorer while testing, it shows url dress that was used). It is not doing it. I'm getting url without escaping, no changes. If I use escaped string as engine ID in this mapping, I'm getting escaped string XXXXXXXX219143826571%253A7h9XXXXXXX (additional '25' is added to query).
Can someone tell me how to fix it? I don't want to use String and then convert it to URL by NSURL(string: str)!. It is not elegant.
Edit:
I'm using app Info.plist to save ID and I retrieve it by calling:
String(NSBundle.mainBundle().objectForInfoDictionaryKey("ApiKey")!)
Colons are allows in the query part of a URL string. There should be no need to escape them.
Strictly speaking, the only things that absolutely have to be encoded in that part of a URL are ampersands, hash marks (#), and (assuming you're doing a GET query with form encoding) equals signs. However, question marks in theory may cause problems, slashes are technically not allowed (but work just fine), and semicolons are technically allowed (but again, work in practice).
Colons, AFAIK, only have special meaning in the context of paths (if the OS treats it as a path separator) and in that it separates the scheme (protocol) from the rest of the URL.
So don't worry about the colon being unencoded unless the Google API barfs for some reason.
I'm trying to make an auto response for a website, let me take an exemple
Website : http://mywebsite.com/1.0/?appID=blah_blah&appVersion=RandomNumber&getAppicationSettings=blah_blah
I'd like that Fiddler match the autoresponse after, for exemple, "appVersion=" I've tried to put "REGEX:http://mywebsite.com/1.0/?appID=blah_blah&appVersion=.*" but it doesn't work.
I don't know if you know what I mean, I have trouble to explain it. :(
Thanks for the reply.
The simplest thing would be to just change the rule to
http://mywebsite.com/1.0/?appID=blah_blah&appVersion=
If you need to use a regular expression, the expression needs to be valid, with escaping of characters that have a meaning in regular expressions. E.g. more like:
REGEX:mywebsite\.com\/1\.0\/\?appID=blah_blah&appVersion=[\d]+&getAppicationSettings=blah_blah
i have a url similar to this
http://one/two/three:four&five=six|seven
also i have
Zend_Uri_Http::setConfig(array('allow_unwise' => true));
in order to be able to use "|". when i try to use
Zend_Http_Client::setUri()
on my url, i get
Zend_Uri_Exception: Invalid URI supplied
when i hit the url from the browser, it works. how to avoid this problem. any ideas are welcome
The URL will be valid if you change it to:
http://one/two/three:four?five=six|seven
What is supposed to be the query string in that URI? You have to separate the query string from the path by ? before you can use & to separate arguments.
so it turns out i had a rewrite rule, defined in my httpd-vhosts.conf file, which created valid url after my invalid url was hit. since i needed to hit the url from within the zend framework phpunit test, i applied rewrite rule manually and got the correct url
moral of the story, put all the relevant info into your question, or else, nobody will be able to help you out
I'm pretty new to Lift, and one of the things I've been trying to find is how to, in the context of a snippet, find the '#' in the current page's URL. So if a user visits http://www.example.com/some/path/page#stuff then I would like to extract "stuff" from that. I've been googling and searching the API docs and have yet to find anything for this.
I don't think the part behind the # ever gets sent to the server in the first place.
That's what wikipedia has to say about it:
In URIs a hashmark # introduces the
optional fragment near the end of the
URL. The generic RFC 3986 syntax for
URIs also allows an optional query
part introduced by a question mark ?.
In URIs with a query and a fragment
the fragment follows the query. Query
parts depend on the URI scheme and are
evaluated by the server — e.g., http:
supports queries unlike ftp:.
Fragments depend on the document MIME
type and are evaluated by the client
(Web-browser). Clients are not
supposed to send URI-fragments to
servers when they retrieve a document,
and without help from a local
application (see below) fragments do
not participate in HTTP redirections.
I don't think the part behind the #
ever gets sent to the server in the
first place.
You are correct, sir. That is the entire point of the hash.
Dylan, you could do something from the Javascript side:
$.ajax( { data : { fragment : window.location.hash ...