How is HTML injection possible in this domxss.com challenge
Question
OWASP's testing for HTML injection page ( link ) shows a particular code that is supposed to be vulnerable to HTML injection.
<script src="../js/jquery-1.7.1.js"></script>
<script>
function setMessage(){
var t=location.hash.slice(1);
$("div[id="+t+"]").text("The DOM is now loaded and can be manipulated.");
}
$(document).ready(setMessage );
$(window).bind("hashchange",setMessage)
</script>
<body>
<script src="../js/embed.js"></script>
<span><a href="#message" > Show Here</a><div id="message">Showing Message1</div></span>
<span><a href="#message1" > Show Here</a><div id="message1">Showing Message2</div>
<span><a href="#message2" > Show Here</a><div id="message2">Showing Message3</div>
</body>
This code is one of the challenges on ( domxss.com ) and I am unsure of how this is vulnerable.
From what I understand, the URL's hash can be used as an input and any change in the URL will trigger the setMessage function. This URL hash will be my payload. However, this payload is only being used as a selector in jQuery which is where I hit a wall.
I am relatively new to XSS so any payloads will be appreciated. An explanation is obviously welcome.
Also, any resources to better understand HTML injection attacks via jQuery will be useful.
1 answers
solution1
1 2021-11-20 18:41:28
Yes, very old versions of jQuery are vulnurable to XSS from a dynamic selector string. See Bug # 11290 on jQuery's bug tracker - if formulated just right, the selector string can be accidentally interpreted as HTML. If the selector string can be provided by the user, you could be in trouble.
For a minimal example:
$(`div[class='<img src="" onerror=alert("evil")>]`).text("The DOM is now loaded and can be manipulated.");
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js"></script>
So, the original
$("div[id="+t+"]")
can be injected with such a t that results in arbitrary code running.
const t = `'<img src="" onerror=alert("evil")>]`; $("div[id="+t+"]").text("The DOM is now loaded and can be manipulated.");
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js"></script>
The bug was fixed 9 years ago, so unless you're deliberately using an ancient version of jQuery and never update your dependencies, it probably won't affect you.
The bug was ultimate caused by an insufficiently strict regex. .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.