1

Target code:

if($(location.href.split("#")[1])) {
  var target = $('#'+location.href.split("#")[1]);
  if (target.length) {
    $('html,body').animate({
      scrollTop: target.offset().top - 160 //offset height of header here too.
    }, 1000);
    return false;
  }
}

It uses from location.href, so I though about using an injection script like this: target-url.com/#"+alert(1)+"", escaping the string and placing an alert(1) to trigger an alert in the page. If I edit the script using Chrome Dev tools, the script is successfully executed:

enter image description here

But when trying to inject this script in the URL, analyzing the browser console, I see a jQuery error:

jquery.js?ver=1.11.3:2 Uncaught Error: Syntax error, unrecognized expression: %22+alert(1)+%22%22. It appears to fail because it's replacing " with %22. But I need to scape the string scope, since location.href.split("#")[1] returns a string, and I need to leave the string scope to run the script.

Is there a way to bypass this URL encoding or this scenario is not exploitable at all?

GGirotto
  • 113
  • 1
  • 4

1 Answers1

4

Is there a way to bypass this URL encoding

No, modern browsers correctly URL encode this value, and that cannot be bypassed.

But that's not the only problem. There's actually no double-quoted string here which you could escape with " (nor a single-quoted one which you could escape with ').

There was a jQuery vulnerability in earlier version where $('#<img src=x onerror=alert(1)>') would lead to XSS, but that is fixed in recent versions.

$('<img src=x onerror=alert(1)>') still leads to XSS, but there is no way to get rid of the # (and the URL encoding would also still be in the way).

Given all of this, I would say that the code isn't vulnerable.

tim
  • 29,122
  • 7
  • 96
  • 120
  • Thanks for the quick answer @tim! So, can we say that `window.location.hash` is completely safe from XSS injections? Since it's not possible to get rid of `#` – GGirotto Mar 29 '20 at 17:34
  • @GGirotto I meant the `#` in `$('#'`, not from the URL. Nothings ever completely safe, but at least in your example, it would only be exploitable for users who use severely outdated browsers (which don't URL-encode), and even that only if the app uses an outdated jquery version. There are other situations where incorrectly using `location.hash` can lead to DOM XSS (see eg the last example [here](https://security.stackexchange.com/a/219870/8754)) – tim Mar 29 '20 at 18:10