Is the javascript in url executable?

528    Asked by GillianHamer in Java , Asked on Oct 11, 2022

 I am learning about "Session fixation" and have read the corresponding OWASP page.


In their Example 2 in the above page, they describe an attack via JavaScript, that is embedded in the URL like:


http://website.kom/[removed][removed]=”sessionid=abcd”;[removed]

I tried this with an embedded [removed]alert("XSS!!");[removed], but as expected, it did not work.


Is there ANY way an URL can run embedded JavaScript?


Note: This question is somewhat similar to Execute reflected XSS in URL, but I am talking about scripts in the URL, not from a HTTP header.


Answered by Jonathan Skinner

A URL cannot run anything. A javascript in URL is just a string. How an URL can be used or abused depends on the context and application where it is used.


Your specific case is about an XSS vulnerability in the web application where parts of the URL were embedded in the HTML page in a context which triggered the execution. Without such vulnerability no execution would happen.



Your Answer

Interviews

Parent Categories