CODEWITHSUNDEEP
jqueryxss
Anderson
Anderson

Reputation: 171

Is it possible to perform a XSS attack using jQuery's .attr(attributeName, value) method in the following context?

Given is the following html fragment, which is statically typed in an html file:

<div id="div001" title="abc">Test</div>

Is it possible to perform a XSS attack when the attacker can provide an arbitrary value for the variable unsafe_string in the following context:

$('#div001').attr("title", unsafe_string);

My question is: Is it possible to break out of the attribute value so that some malicious code can get injected and executed? The attacker has only control of unsafe_string and nothing else.

I could for example observe that

$('#div001').attr("title", '"');

results in

$('#div001').attr("title") = "\""

Upvotes: 1

Views: 3551

Answers (2)

wi2ard
wi2ard

Reputation: 1555

Yes, there are a number of vulnerabilities in this code:

  1. execution of malicious javascript when you execute $('#div001').attr("title", unsafe_string);

Example: jsp code: $('#div001').attr("title", ${unsafe_string});

when unsafe_string value is "");alert('do nasty stuff')

generates js code: $('#div001').attr("title", "");alert('do nasty stuff')

edit: jquery protects you against these 2 by escaping dangerous chars

  1. injection of malicious javascript in the attibute value (title)
  2. injection of html in the attribute value

You have to escape the unsafe string to protect against all of these (and also you have to validate the unsafe string when you save it in your application). I suggest using an existing security library for this, depending on your technology stack. See more here: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

Edit: 4. If you keep your js code in the html file, you can also be vulnerable to html injection Example: jsp code:

<body>
    <script>
    $(document).ready(function(){$('#mydiv').attr( "title", ${unsafe_string})});
    </script>
    <div id="mydiv" title='abc'>
        something
    </div>

When unsafe_string is the string </script>defaceing my site Your page will look like this

More details about how to test against XSS here: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Upvotes: 0

Anderson
Anderson

Reputation: 171

No, as jQuery takes care of escaping the content of unsafe_string, so that it is not possible to break out of the attribute value. Writing html or javascript code into the attribute value via jQuery's attr() function will escape the string and will not get interpreted as html or executed as javascript code.

The escaping behaviour can be checked by looking at $('#div001')[0].outerHTML.

Upvotes: 1

Related Questions