Sending user controlled inputs to jQuery functions may lead to critical XSS

Post Pic Not Available

Hey all , Its been some time I am trying to learn the security vulnerabilities related to Javascript .jQuery is one of the most widely used library of javascript . We find it embedded it most of the web pages we see these days. During the learning phase I found a very good post regarding jquery functions that allow HTML Injection . Following is the link to that post:
https://code.google.com/p/domxsswiki/wiki/jQuery Its written by the developer of popular JS Analyzer tool Dominator, Stefano Di Paola .Thanks to him for such a great post. It took me some time to understand . With this blog post i will try to explain about the above post by Stefano related to jQuery sinks which allow HTML Injection .
Demo/Example: I wrote a comment box code for my blog website which post the comment message using the .load() function of jQuery to database. This comment box code grab the GET parameter value of current page using php code and use that value in the .load() function of jquery.
If you see the line 28 , there is php code that grab the GET parameter value . .load() is one of the jQuery function that allow HTML injection . So , I injected the payload in the url and ..
The payload executed successfully (the vulnerable code is fixed now )
Like .load() there are many functions that allow HTML Injection. Following are few of them:
add() , constructor() , has() , init() , index() , wrapAll() , wrapInner() , wrap() , append() , prepend() , before() , after() , html() , replaceWith() , appendTo() , prependTo() , insertBefore() , insertAfter() , replaceAll()
Source: https://code.google.com/p/domxsswiki/wiki/jQuery
So, while pentesting web applications if you find a jQuery function which uses some user controlled input from some source like GET parameters, it may be vulnerable to XSS. I will try to update this post with more sinks/function of jQuery that allow HTML Injection. I would like to give credits to one more person , Mike Shema http://deadliestwebattacks.com/2013/12/03/selector-the-almighty-subjugator-of-elements/
I hope it was a worth reading post. Comments are welcome : )
- Jasminder Pal Singh

Share It!

Comments

comments powered by Disqus