0

Is this code vulnerable to DOM based XSS?

The application is using jQuery 3.3.1 and i noticed that Data is read from

window.location.hash and passed to $() via the following statements:

var hash = window.location.hash.substring(1);
var elem = $('#reports_nav_links .' + hash);

The link I have is something like /graph#injection-point

Every parameter I insert after the hash symbol gives the following error in browser console:

Error: Syntax error, unrecognized expression: #reports_nav_links .injection-point

What payload could I use to trigger an alert box or execute any JS code? Is this code vulnerable or 100% safe?

Joe
  • 2,734
  • 2
  • 12
  • 22
Jamyzed
  • 11
  • 2
  • @Arminius I don't think it's a duplicate of that question. Jquery version and statements are differents. – Jamyzed Dec 20 '18 at 20:07
  • 1
    But especially the test site linked in the answer pretty clearly describes which versions are vulnerable and its example is directly transferrable to yours, isn't it? – Arminius Dec 20 '18 at 20:18
  • The gist is that in newer versions of jQuery, a leading `#` guarantees that the string is always understood as a selector no matter what user-controlled data follows. (There may be interactions with additional libraries though.) – Arminius Dec 20 '18 at 20:24
  • Further, modern browsers also encode hash fragment- making it unexploitable. – 1lastBr3ath Dec 21 '18 at 02:05

1 Answers1

0

The snippet that you pasted above is not vulnerable to the jQuery XSS vulnerability that you probably have in mind (Bug #9521) since it does not affect version 3.3.1. The jQuery selector bug was fixed in version 1.7.

EdOverflow
  • 1,246
  • 8
  • 21