[Owasp-csrfguard] Potential Vulnerability in isValidUrl

Eric Sheridan eric.sheridan at owasp.org
Fri Feb 11 09:35:01 EST 2011


List,

Koto on GitHub pointed out a potential vulnerability in the "isValidUrl"
method of the dynamic JavaScript code - and I believe this person is
correct. This method is poorly written and this problem only highlights
that fact. Here is the snippet:

/** determine if uri/url points to valid domain * */
function isValidUrl(src) {
	var result = false;
	
	/** parse out domain to make sure it points to our own * */
	if(src.substring(0, 7) == "http://" || src.substring(0, 8) == "https://") {
		// check if is valid domain
	} else if(src.charAt(0) == '#') {
		...
	} else if(src.charAt(0) == '/' || src.indexOf(':') == -1) {
		result = true;
	}
		
	return result;
}

The idea behind this code is to determine if the form/url location
points to a page for which we must include the CSRF token. This helps
ensure that a token destined for abc.com is not sent off site to an
xyz.com. However, the following URL //attacker.com/whatever is not local
yet will translate to http://attacker.com/whatever and the token will be
included. If the user clicks the link, their CSRF token destined for
abc.com is sent to attacker.com.

Any thoughts on how I could do this uri/url parsing logic in a cleaner
fashion without introducing a third party library? I could sneak in a
third conditional (&& !src.startsWith("//")) but this seems really fragile.

-Eric


More information about the Owasp-csrfguard mailing list