3

OWASP's testing for HTML injection page (link) shows a particular code that is supposed to be vulnerable to HTML injection.

<script src="../js/jquery-1.7.1.js"></script>
<script>
function setMessage(){
    var t=location.hash.slice(1);
    $("div[id="+t+"]").text("The DOM is now loaded and can be manipulated.");
}
$(document).ready(setMessage  );
$(window).bind("hashchange",setMessage)
</script>
<body>
    <script src="../js/embed.js"></script>
    <span><a href="#message" > Show Here</a><div id="message">Showing Message1</div></span>
    <span><a href="#message1" > Show Here</a><div id="message1">Showing Message2</div>
    <span><a href="#message2" > Show Here</a><div id="message2">Showing Message3</div>
</body>

This code is one of the challenges on (domxss.com) and I am unsure of how this is vulnerable.

From what I understand, the URL's hash can be used as an input and any change in the URL will trigger the setMessage function. This URL hash will be my payload. However, this payload is only being used as a selector in jQuery which is where I hit a wall.

I am relatively new to XSS so any payloads will be appreciated. An explanation is obviously welcome.

Also, any resources to better understand HTML injection attacks via jQuery will be useful.

Black Wind
  • 313
  • 1
  • 8
  • It's been a long time since I've used jQuery, but jQuery can also create new elements with its constructor. Something like `$('')`. Not sure if that works in the context of that selector or not... might be worth trying. – Brad Nov 20 '21 at 18:15

1 Answers1

3

Yes, very old versions of jQuery are vulnurable to XSS from a dynamic selector string. See Bug # 11290 on jQuery's bug tracker - if formulated just right, the selector string can be accidentally interpreted as HTML. If the selector string can be provided by the user, you could be in trouble.

For a minimal example:

$(`div[class='<img src="" onerror=alert("evil")>]`).text("The DOM is now loaded and can be manipulated.");
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js"></script>

So, the original

$("div[id="+t+"]")

can be injected with such a t that results in arbitrary code running.

const t = `'<img src="" onerror=alert("evil")>]`;
$("div[id="+t+"]").text("The DOM is now loaded and can be manipulated.");
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js"></script>

The bug was fixed 9 years ago, so unless you're deliberately using an ancient version of jQuery and never update your dependencies, it probably won't affect you.

The bug was ultimate caused by an insufficiently strict regex..

CertainPerformance
  • 356,069
  • 52
  • 309
  • 320