We Keep Coding

Simple DOM open Redirection quesiton

Burp highlights DOM open redirection possible with code below. Could anyone explain if this is feasible? Many thanks!
var url = window.location.href;
url = url.replace(/(\?|\&)user_lang=[A-Za-z]{2}/, "");
window.location.href = url;

Most likely a false positive
Let's have a look at what the code exactly does: First, it reads the current URL, then it applies some Regular Expression to it, and finally it redirects to that URL. Burp recognizes this pattern and flags it as potential vulnerability.
Let's have a closer look at the regular expression: (\?|\&)user_lang=[A-Za-z]{2}
So the first match is either a ? or a &, followed by user_lang=, followed by two letters of either upper- or lower case. Here are some strings this would match to:
&user_lang=FO
?user_lang=sj
?user_lang=Oo
Once a match is found, it is replaced with nothing, and the user is redirected to the resulting URL. Let's look at an example:
https://example.com/?user_lang=ENsome/kind/of/url would rresult in a redirect to https://example.com/some/kind/of/url
This should generally not be a problem, as redirects to a different domain are not a problem using this method.

Backslash in endpoint

I need to consume an endpoint from SoapUI which contains a backslash like:
mydomain/myservice/{id_resource}
and the assignment:
id_resource = numbers\numbers
The problem here is that when I executed the request, the consumed url is mydomain/myservice/numbers%40%5Cnumbers, and if I check the option of disabling the URL-encoding, it ignores the backslash () between the numbers of the id_resource, going to an url like mydomain/myservice/numbersnumbers.
I've tried to scape the character with another backslash, like java or other languages, but it doesn´t work.
It works fine if I consume the service with postman, so it is not a problem of the logic consumed.
So, is it possible to consume an url containing a backslash from SoapUI?

There is an option to disable URL encoding for the selected parameter which would assist with this.
https://www.soapui.org/rest-testing/reference/method-window.html

Wrong NSURLQueryItem percentage encoding for Google CSE

I'm writing app using Google custom search engine.
I received my search engine ID XXXXXXXX219143826571:7h9XXXXXXX (most interesting part bold).
Now I'm trying to use NSURLQueryItem to embed my ID into URL by using:
let params = ["cx" : engineID,...]
...
components.queryItems = parameters.map {
NSURLQueryItem(name: String($0), value: String($1))
}
It should percentage escape item to XXXXXXXX219143826571%3A7h9XXXXXXX (This value I'm getting when using Google APIs explorer while testing, it shows url dress that was used). It is not doing it. I'm getting url without escaping, no changes. If I use escaped string as engine ID in this mapping, I'm getting escaped string XXXXXXXX219143826571%253A7h9XXXXXXX (additional '25' is added to query).
Can someone tell me how to fix it? I don't want to use String and then convert it to URL by NSURL(string: str)!. It is not elegant.
Edit:
I'm using app Info.plist to save ID and I retrieve it by calling:
String(NSBundle.mainBundle().objectForInfoDictionaryKey("ApiKey")!)

Colons are allows in the query part of a URL string. There should be no need to escape them.
Strictly speaking, the only things that absolutely have to be encoded in that part of a URL are ampersands, hash marks (#), and (assuming you're doing a GET query with form encoding) equals signs. However, question marks in theory may cause problems, slashes are technically not allowed (but work just fine), and semicolons are technically allowed (but again, work in practice).
Colons, AFAIK, only have special meaning in the context of paths (if the OS treats it as a path separator) and in that it separates the scheme (protocol) from the rest of the URL.
So don't worry about the colon being unencoded unless the Google API barfs for some reason.

How to build a Uri in Spray?

I would like to make a simple GET request via Spray with a few query parameters
Get("http://localhost/user?email=abc+a#abc.com")
However + means a space in application/x-www-form-urlencoded content resulting the call to http://localhost/user?email=abc a#abc.com (with a space instead of plus sign).
I could use a non-Spray java.net.URLEncoder to encode the URL before passing it to the GET request however I doing this every time seems like a hack.
Is there a Spray way of applying query parameters and encoding them?
Uri("http://localhost/").withQuery(Map("email"->"abc+a#abc.com")) is a nice way to construct a Uri but it doesn't encode the params as well...

Actually Uri("http://localhost/").withQuery(Map("email"->"abc+a#abc.com")) works fine as it encodes the special symbols.
However, Uri("http://localhost/").withQuery("email=abc+a#abc.com") doesn't.

I use java.net.URLEncoder. I believe that is the accepted method.
It would be nice if that happened automatically!

Perl::Dancer how to include a file path as a parameter in the URI

I'm new to the Dancer framework and web apps in general. I have a Dancer project in which I have a route that accepts multiple parameters. So far, no sweat. However, if one of the parameters has a file path as its value then the route is not found.
I have tried encoding the parameter string as follows to eliminate the forward slashes:
$paramString =~ s/\//%2F/g;
and this does encode the slashes as expected (I print it out in the log to make sure).
However, after the parameter string is appended to the base URI for the route I'm interested in, the URI shows up in the browser in unencoded form, a 404 error is raised and the log says that the unencoded route can't be found.
I looked into the Request.pm module and found that in the init method a private method called _url_decode is called which removes the encoding. Is there a way to disable this when it is not desired?
I also tried using the uri_for method to create the URI. In this case, the encoded URI does show up in the browser, however, the route is still not found and the log indicates that the unencoded form (with the forward slashes) is being used to search for the route
Trying to match 'GET /exome_proj_config/project_type=exome&project_root=/usr/local/projects/users/pdagosto/projects&analysis_project_name=Test' against /^\/exome_proj_config\/([^\/]+)$/ (generated from '/exome_proj_config/:project_type:project_root:analysis_project_name') in /home/pdagosto/perl5/lib/perl5/Dancer/Route.pm l. 84 here
Since the regex used for the match is clearly looking for a string without any forward slashes following the one at the end of the base URI it's clear that the route will never be found.
Is there a way to have a URI parameter that contains a path or must some other approach be used?

It is possible to have a URI with a file path or slashes in the parameter provided that the parameter is part of the query string rather than the path. (See http://en.wikipedia.org/wiki/Uniform_resource_locator.)
For example see this Dancer script:
use strict;
use warnings;
use Dancer;
get '/file/action/:action' => sub {
my $filename = param('filename');
my $action = param('action');
return "Filename is $filename and action is $action";
};
dance;
If you put this string into the browser
http://localhost:3000/file/action/delete?filename=/folder/filename.txt
then you should expect to see this:
Filename is /folder/filename.txt and action is delete
In your question the URL you show uses the & character to separate parameters but it looks like you need a ? character first to separate the query string from the path. It is unclear from your question how you are creating your requests - but provided you can put the filename in the query string part of the URL then the approach above should work.