jQuery Versions Vulnerable to Selector DOM XSS via # aka Selector IDs. (2)

jQuery Versions Vulnerable to Selector DOM XSS via # aka Selector IDs.

By
lethy1993 0 Seen 15 times
Tags
jquery
Run this test now.

Results


Tested on
Chrome Mobile - 78 - Android
jQuery VersionIs Vulnerable?
jQuery 1Safe
3Some Error Occured
6Some Error Occured
2Some Error Occured
10Some Error Occured
4Some Error Occured
5Some Error Occured
9Some Error Occured
7Some Error Occured
8Some Error Occured

User Script (ENUM_FUNCTION) 

					
// Custom Functions
var jQuery_version = '';
function vulnerable(){
    addError('jQuery '+ jQuery_version, '<b>Vulnerable</b>');
}

function safe(){
    addSuccess('jQuery '+ jQuery_version, 'Safe');
}
    
function removeIframe(){
    var x = document.getElementById('jQueryFrameID');
    x.parentNode.removeChild(x);
}

// Test Function
function test(data){
	// We need to separate properties and access one by one.
try{
    jQuery_version = data;
    var jQueryFrame = document.createElement('iframe');
    jQueryFrame.src = location.href+'#<img src=x onerror=bad();>';
    jQueryFrame.id = 'jQueryFrameID';
    jQueryFrame.onload = function(){
            var jQueryScript = jQueryFrame.contentWindow.document.createElement('script');
            jQueryScript.type = 'text/javascript';
            jQueryScript.src = 'https://ajax.googleapis.com/ajax/libs/jquery/'+ data.toString() +'/jquery.js';
            jQueryFrame.contentWindow.document.body.appendChild(jQueryScript);
            jQueryScript.onload = function(){console.warn(location.href);
                var exploitScript = "try{function bad(){parent.vulnerable(); parent.removeIframe();} $(location.hash);} catch(err){parent.safe();parent.removeIframe();}";
                var exploit = jQueryFrame.contentWindow.document.createElement('script');
                exploit.type = 'text/javascript';
                exploit.innerHTML = exploitScript;
                jQueryFrame.contentWindow.document.body.appendChild(exploit);
                
            };
            jQueryScript.onerror = function(){
                addResult(data ,  'Some Error Occured');
            };
    };
    document.body.appendChild(jQueryFrame);

}

catch(err){
	addInfo(data ,  'Some Error Occured');
}

}

Enum Data (ENUM_FUNCTION) 

					
// Taken from jQuery Versions Under, https://developers.google.com/speed/libraries/devguide#jquery
var data = ['2.0.3', '2.0.2', '2.0.1', '2.0.0', '1.10.2', '1.10.1', 
'1.10.0', '1.9.1', '1.9.0', '1.8.3', '1.8.2', '1.8.1', '1.8.0', 
'1.7.2', '1.7.1', '1.7.0', '1.6.4', '1.6.3', '1.6.2', '1.6.1', 
'1.6.0', '1.5.2', '1.5.1', '1.5.0', '1.4.4', '1.4.3', '1.4.2', 
'1.4.1', '1.4.0', '1.3.2', '1.3.1', '1.3.0', '1.2.6', '1.2.3','3.3.1' ,'3.4.1'];