current position:Home>Web Security: analysis of DOM XSS vulnerability source code of jquery

Web Security: analysis of DOM XSS vulnerability source code of jquery

2022-04-29 19:57:37Midnight safety

1. Preface

jQuery stay Web Widely used in , When jQuery The version of is greater than or equal to 1.2 And less than 3.5.0 When , Even if disinfection is carried out (sanitize) Handle , And will still execute... That will come from untrusted sources HTML Pass to jQuery Of DOM Operation method ( namely html()、.append() etc. ), Which leads to xss Loophole .

2. Loophole recurrence

Use the environment built by the original author :

https://vulnerabledoma.in/jquery_htmlPrefilter_xss.html

This environment has three built-in xss poc, Click on Append via .html() The button triggers XSS Loophole .

When we want to test something jquery Whether there are loopholes , Can be URL Replace with the subscript red , Then open the browser html.

HTML Source code :<

copyright notice
author[Midnight safety],Please bring the original link to reprint, thank you.
https://en.qdmana.com/2022/119/202204291810249738.html

Random recommended