CODEWITHSUNDEEP
htmljqueryxssowasphtml-injections
Black Wind
Black Wind

Reputation: 341

How is HTML injection possible in this domxss.com challenge

OWASP's testing for HTML injection page (link) shows a particular code that is supposed to be vulnerable to HTML injection.

<script src="../js/jquery-1.7.1.js"></script>
<script>
function setMessage(){
    var t=location.hash.slice(1);
    $("div[id="+t+"]").text("The DOM is now loaded and can be manipulated.");
}
$(document).ready(setMessage  );
$(window).bind("hashchange",setMessage)
</script>
<body>
    <script src="../js/embed.js"></script>
    <span><a href="#message" > Show Here</a><div id="message">Showing Message1</div></span>
    <span><a href="#message1" > Show Here</a><div id="message1">Showing Message2</div>
    <span><a href="#message2" > Show Here</a><div id="message2">Showing Message3</div>
</body>

This code is one of the challenges on (domxss.com) and I am unsure of how this is vulnerable.

From what I understand, the URL's hash can be used as an input and any change in the URL will trigger the setMessage function. This URL hash will be my payload. However, this payload is only being used as a selector in jQuery which is where I hit a wall.

I am relatively new to XSS so any payloads will be appreciated. An explanation is obviously welcome.

Also, any resources to better understand HTML injection attacks via jQuery will be useful.

Upvotes: 3

Views: 569

Answers (1)

CertainPerformance
CertainPerformance

Reputation: 371168

Yes, very old versions of jQuery are vulnurable to XSS from a dynamic selector string. See Bug # 11290 on jQuery's bug tracker - if formulated just right, the selector string can be accidentally interpreted as HTML. If the selector string can be provided by the user, you could be in trouble.

For a minimal example:

$(`div[class='<img src="" onerror=alert("evil")>]`).text("The DOM is now loaded and can be manipulated.");
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js"></script>

So, the original

$("div[id="+t+"]")

can be injected with such a t that results in arbitrary code running.

const t = `'<img src="" onerror=alert("evil")>]`;
$("div[id="+t+"]").text("The DOM is now loaded and can be manipulated.");
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js"></script>

The bug was fixed 9 years ago, so unless you're deliberately using an ancient version of jQuery and never update your dependencies, it probably won't affect you.

The bug was ultimate caused by an insufficiently strict regex..

Upvotes: 3

Related Questions