jQuery Versions Vulnerable to Selector DOM XSS via # aka Selector IDs. (2)

jQuery Versions Vulnerable to Selector DOM XSS via # aka Selector IDs.

By
lethy1993 0 Seen 422 times
Tags
jquery
Run this test now.

Results


This browser ran the most recent scan
Tested on
Chrome Mobile - 98 - Android
jQuery VersionIs Vulnerable?
jQuery 3.4.0Safe
jQuery 3.2.0Safe
jQuery 2.2.1Safe
jQuery 3.0.0Safe
jQuery 2.1.0Safe
jQuery 2.2.0Safe
jQuery 3.1.0Safe
2.3.0Some Error Occured
3.3.0Some Error Occured
jQuery 2.0.0Safe
1.2.1Some Error Occured

This browser ran the most recent scan
Tested on
Chrome - 98 - undefined
jQuery VersionIs Vulnerable?
jQuery 3.1.0Safe
jQuery 3.4.0Safe
2.3.0Some Error Occured
3.3.0Some Error Occured
jQuery 3.0.0Safe
jQuery 2.2.1Safe
jQuery 2.2.0Safe
jQuery 2.0.0Safe
jQuery 2.1.0Safe
jQuery 3.2.0Safe
1.2.1Some Error Occured

User Script (ENUM_FUNCTION)

					
// Custom Functions
var jQuery_version = '';
function vulnerable(){
    addError('jQuery '+ jQuery_version, '<b>Vulnerable</b>');
}

function safe(){
    addSuccess('jQuery '+ jQuery_version, 'Safe');
}
    
function removeIframe(){
    var x = document.getElementById('jQueryFrameID');
    x.parentNode.removeChild(x);
}

// Test Function
function test(data){
	// We need to separate properties and access one by one.
try{
    jQuery_version = data;
    var jQueryFrame = document.createElement('iframe');
    jQueryFrame.src = location.href+'#<img src=x onerror=bad();>';
    jQueryFrame.id = 'jQueryFrameID';
    jQueryFrame.onload = function(){
            var jQueryScript = jQueryFrame.contentWindow.document.createElement('script');
            jQueryScript.type = 'text/javascript';
            jQueryScript.src = 'https://ajax.googleapis.com/ajax/libs/jquery/'+ data.toString() +'/jquery.js';
            jQueryFrame.contentWindow.document.body.appendChild(jQueryScript);
            jQueryScript.onload = function(){console.warn(location.href);
                var exploitScript = "try{function bad(){parent.vulnerable(); parent.removeIframe();} $(location.hash);} catch(err){parent.safe();parent.removeIframe();}";
                var exploit = jQueryFrame.contentWindow.document.createElement('script');
                exploit.type = 'text/javascript';
                exploit.innerHTML = exploitScript;
                jQueryFrame.contentWindow.document.body.appendChild(exploit);
                
            };
            jQueryScript.onerror = function(){
                addResult(data ,  'Some Error Occured');
            };
    };
    document.body.appendChild(jQueryFrame);

}

catch(err){
	addInfo(data ,  'Some Error Occured');
}

}

					
				

Enum Data (ENUM_FUNCTION)

					
// Taken from jQuery Versions Under, https://developers.google.com/speed/libraries/devguide#jquery
var data = ['2.0.3', '2.0.2', '2.0.1', '2.0.0', '1.10.2', '1.10.1', 
'1.10.0', '1.9.1', '1.9.0', '1.8.3', '1.8.2', '1.8.1', '1.8.0', 
'1.7.2', '1.7.1', '1.7.0', '1.6.4', '1.6.3', '1.6.2', '1.6.1', 
'1.6.0', '1.5.2', '1.5.1', '1.5.0', '1.4.4', '1.4.3', '1.4.2', 
'1.4.1', '1.4.0', '1.3.2', '1.3.1', '1.3.0', '1.2.6', '1.2.3','3.3.1' ,'3.4.1'];