Danger of old jQuery libraries
By Pakurity on Sat Mar 20 2021
What is JQuery?
How can it be compromised?
First thing we need to check the JQuery version, in this example we have version 1.8.3 which is vulnerable:
After our check we can start the XSS attack. In this example we will alert “1”. We have HTML form with input field:
<form> <input id="test" placeholder="Enter malicious input here" size="30" value="INPUT" /> <input type="submit" value="Submit" /> </form>
After injecting our XSS payload in the input field and submitting we will see an alert with description “1” on the webpage.
This vulnerability was fixed with the new JQuery version ( 3.5.0 ), if you will update JQuery library to latest ( for example 3.6.0 ):
This code ( XSS ) can not be executed:
<style><style /><img src=x onerror=alert(1)>
In this article we have an example of reflected cross site scripting vulnerability. Attacker can modify the link with malicious code to the website and it will be executed in the victim's browser, as a result sensitive information can be compromised or custom operations performed while impersonating the user identity.
How to prevent it?
In this case it is a good idea to update JQuery library to the latest version as the developers have fixed this issue with XSS vulnerability.