views:

7196

answers:

8

Duplicate of:

What common web exploits should I know about?

This is a security question.

What should I look for in URL that prevents hacking?

Is there a way to execute javascript by passing it inside a URL?

As you can see I'm pretty new to this concept.

Any good posts on this stuff?

+3  A: 

I don't believe you can hack via the URL. Someone could try to inject code into your application if you are passing parameters (either GET or POST) into your app so your avoidance is going to be very similar to what you'd do for a local application.

Make sure you aren't adding parameters to SQL or other script executions that were passed into the code from the browser without making sure the strings don't contain any script language. Search the next for details about injection attacks for the development platform you are working with, that should yield lots of good advice and examples.

Lazarus
A: 

It depends on your application and its use as to the level of security you need.

In terms of security, you should be validating all values you get from the querystring or post parameters, to ensure they're valid.

You may also wish to add logging for others, including analysis of weblogs so you can determine if an attempt to hack your system is occuring.

I don't believe it's possible to inject javascript into a URL and have this run, unless your application is using parameters without validating them first.

Bravax
A: 

The key to this is examining any information you recieve and then display and/or use in code on the server. Get/Post form variables if they contain javascript that you store and later redisplay is a security risk. As are any thing that gets concatenated unexamined into a sql statement you run.

One potential gotcha to watch for are attacks that mess with the character encoding. For instance if I submit a form with utf-8 character set but you store and later display in iso-8859-1 latin with no translation then I might be able to sneak something past your validator. The easiest way to handle this is to always display and store in the same character set. utf-8 is usually a good choice. Never depend on the browser to do the right thing for you in this case. Set explicit character sets and examine the character sets you recieve and do a translation to the expected storage set before you validate it.

Jeremy Wall
A: 

Javascript in URL will not be executed, on its own. That by no way means its safe or to be trusted.

A URL is another user input not to be trusted, GET or POST (or any other method for that matter) can cause allot of severe vulnerabilities.

A common example was/is the use of the PHP_SELF, REQUEST_URI, SCRIPT_NAME and similar variables. Developers would mistakenly echo them directly to the browser which led to the script being injected into the page and executed.

I would suggest you start to do allot of reading, these are some good places to start:

OWASP

XSS Cheat Sheet

XSS Prevention Cheat Sheet

Also google around for XSS (cross site scripting), XSRF (Cross Site Request Forgery), and SQL Injection. That will get you started, but it is allot of information to absorb so take your time. It will be worth it in the long run.

Gerry
A: 

If the link has javascript:, then it will run javascript, otherwise, I agree with everyone else here, there's no way to do it.

SO is smart enough to filter this out!

altCognito
Note, that the link was there :)
altCognito
A: 

Javascript can be executed against the current page just by putting it in the URL address, e.g.

javascript:;alert(window.document.body.innerHTML);
javascript:;alert(window.document.body.childNodes[0].innerHTML);
ck
this javascript will execute if it's the only thing in the address bar. can it be executed if its appended to a url? like www.google.com/?javascript:;alert(window.document.body.innerHTML); it doen't look like it can be executed when appended to a url. Or can it?
dev.e.loper
A: 

type Javascript:(code here);

A: 

but how to add it to the url? like www.google.com/?javascript:(code here); so the javascript code will run when you're on the website

raf