jQuery Versions Vulnerable to Selector XSS with class Attribute ('. XSS_VECTOR')

List of all jQuery versions vulnerable to class selector XSS. These jQuery libraries cause DOM XSS when a user controlled value is passed as a the class selected [$('.'+ className)]

By
hbkninad 0 Seen 872 times
Tags
jquery xss
Run this test now.

Results


Tested on
Chrome - 69 - Windows 7
jQuery VersionIs it Vulnerable?
jQuery 1.11.0Safe
jQuery 1.11.1Safe
jQuery 1.11.2Safe
jQuery 1.11.3Safe

Tested on
Firefox - 61 - Windows 10
jQuery VersionIs it Vulnerable?
jQuery 1.11.0Safe
jQuery 1.11.2Safe
jQuery 1.11.1Safe
jQuery 1.11.3Safe

Tested on
Googlebot - 2.1 - undefined
jQuery VersionIs it Vulnerable?
jQuery 1.11.3Safe
jQuery 1.11.2Safe
jQuery 1.11.1Safe
jQuery 1.11.0Safe

Tested on
IE - 11 - Windows 7
jQuery VersionIs it Vulnerable?
jQuery 1.11.2Safe
jQuery 1.11.1Safe
jQuery 1.11.0Safe
jQuery 1.11.3Safe

Tested on
Iceweasel - 38.2.1 - Linux
jQuery VersionIs it Vulnerable?
jQuery 1.11.3Safe
jQuery 1.11.2Safe
jQuery 1.11.1Safe
jQuery 1.11.0Safe

Tested on
Chrome Mobile - 41 - Android
jQuery VersionIs it Vulnerable?
jQuery 1.11.3Safe
jQuery 1.11.2Safe
jQuery 1.11.1Safe
jQuery 1.11.0Safe

Tested on
Opera - 47 - Windows 10
jQuery VersionIs it Vulnerable?
jQuery 1.11.2Safe
jQuery 1.11.1Safe
jQuery 1.11.0Safe
jQuery 1.11.3Safe

User Script (ENUM_FUNCTION)

					
// Custom Functions
var jQuery_version = '';
function vulnerable(){
    addError('jQuery '+ jQuery_version, '<b>Vulnerable</b>');
}

function safe(){
    addSuccess('jQuery '+ jQuery_version, 'Safe');
}
    
function removeIframe(){
    var x = document.getElementById('jQueryFrameID');
    x.parentNode.removeChild(x);
}

// Test Function
function test(data){
	// We need to separate properties and access one by one.
try{
    jQuery_version = data;
    var jQueryFrame = document.createElement('iframe');
    jQueryFrame.id = 'jQueryFrameID';
    jQueryFrame.onload = function(){
            var jQueryScript = jQueryFrame.contentWindow.document.createElement('script');
            jQueryScript.type = 'text/javascript';
            jQueryScript.src = 'https://ajax.googleapis.com/ajax/libs/jquery/'+ data.toString() +'/jquery.js';
            jQueryFrame.contentWindow.document.body.appendChild(jQueryScript);
            jQueryScript.onload = function(){
                var exploitScript = "try{function bad(){parent.vulnerable(); parent.removeIframe();} $('. <img src=x onerror=bad();>');} catch(err){parent.safe();parent.removeIframe();}";
                var exploit = jQueryFrame.contentWindow.document.createElement('script');
                exploit.type = 'text/javascript';
                exploit.innerHTML = exploitScript;
                jQueryFrame.contentWindow.document.body.appendChild(exploit);
                
            };
            jQueryScript.onerror = function(){
                addResult(data ,  'Some Error Occured');
            }
    };
    document.body.appendChild(jQueryFrame);

}

catch(err){
	addInfo(data ,  'Some Error Occured');
}

}
					
				
					
				

Enum Data (ENUM_FUNCTION)

					
// Taken from jQuery Versions Under, https://developers.google.com/speed/libraries/devguide#jquery
var data = [ '1.11.3', '1.11.2', '1.11.1', '1.11.0' ];