Is location.hash vulnerable to DOM XSS in jQuery selector when combined with other selectors

2.3k views Asked by At

I'm using checkmarx SAST tool and its highlighting jquery selectors using the hash from the URL as Client DOM XSS:

$('[name=' +  location.hash.replace('#', '') + ' ]')

or even

$('#'location.hash.replace('#', ''))

I dont understand how any of the above examples can be vulnerable to XSS given that it has other parts of the selector in it, especially the first one. In my understanding, the only way someone can be vulnerable to XSS via jquery selector is by inserting the hash value without the hash symbol as the following:

$(location.hash.replace('#', ''))

where someone can put something malicious after the hash as https://example.com#<img src="" onerror="alert(1)". Even plain $(location.hash) I think was fixed in the latest releases of jquery.

Please fill me in with whatever I am missing

UPDATE

It turns out that what I thought is the least vulnerable is actually the most. try this $('[name="<img src="" onerror="alert(document.cookie)""]/>') and you'll see the alert popup.

Only jQuery selectors starting with hash or even starting with other selectors but has a hash preceding the injected element will not be exploitable for example this $('.something <img src="" onerror="alert(document.cookie)""]/> #hash') is exploitable, but this $('#hash <img src="" onerror="alert(document.cookie)""]/>') is not.

Can anyone please confirm that my findings are right, and if indeed any hash starting selector can be marked as not exploitable.

0

There are 0 answers