Saturday, May 28, 2011

Client side XSS: document.write(location.href)

Is this safe ?
(C) www.orace.com


if (USER.guid) {
    document.write('Welcome ' + USER.firstname + ' ( <a class=profile href=https://myprofile.oracle.com/EndUser/faces/profile/sso/updateUser.jspx?nextURL=' + location.href + '\>' + 'Account' + '<\/a> | <a class=profile href=/us/corporate/contact/about-your-account-070507.html>' + 'Help' + '<\/a> | <a class=profile href=javascript:sso_sign_out();>' + 'Sign Out' + '<\/a> )');
}
else {
    document.write('<span class=profile>( ' + ' <a href=http://www.oracle.com/webapps/redirect/signon?nexturl=' + location.href + '>Sign In/Register for Account</a> ' + ' <span style=color: rgb(0, 0, 0)>|</span> ' + '<a href=/us/corporate/contact/about-your-account-070507.html>Help</a>' + ' )</span>');
}

UPDATE: 16.6.2011
Somehow they decided to fix it ? based on this article ? I dont believe so, if yes please next time give some credits by comment ;-)


if (USER.guid) {
    document.write('Welcome ' + USER.firstname + ' ( <a class=profile href=https://myprofile.oracle.com/EndUser/faces/profile/sso/updateUser.jspx?nextURL=' + encodeURI(location.href) + '\>' + 'Account' + '<\/a> | <a class=profile href=/us/corporate/contact/about-your-account-070507.html>' + 'Help' + '<\/a> | <a class=profile href=javascript:sso_sign_out();>' + 'Sign Out' + '<\/a> )');
}
else {
    document.write('<span class=profile>( ' + ' <a href=http://www.oracle.com/webapps/redirect/signon?nexturl=' + encodeURI(location.href) + '>Sign In/Register for Account</a> ' + ' <span style=color: rgb(0, 0, 0)>|</span> ' + '<a href=/us/corporate/contact/about-your-account-070507.html>Help</a>' + ' )</span>');
}

Any ideas now ?

1 comment:

  1. specially if FF servers fragment as decoded ?

    ReplyDelete