[0day]jquery Mobile XSS

Vulnerability Impact Range:

Any one of the website uses jQuery Mobile and is open for redirection, and there may be XSS, and there is no patch information available.

Application Introduction:

jquery Mobile is a component of the jquery framework (not the mobile version of jquery). jquery Mobile Not only brings the jquery core library to the mainstream mobile platform, but also publishes a complete unified jquery Mobile UI Framework. Support the global mainstream mobile platform. The JQuery Mobile development team said: "We are very excited to be able to develop this project." Mobile web too requires a cross-browser framework that allows developers to develop real mobile web sites.

More information:

Vulnerability Discovery Author [Eduardo Vela (Sirdar Kcat)], in the last few months to study the SCP bypass, found that jquery Mobile has a very strange behavior, it will take the URL location.hash, output to innerHTML. So decided to carefully analyze the relevant reasons:

Vulnerability Information:

1. Check if your jquery mobile is in Location.hash

2, if you see Localtion.hash has a URL, it will call History.pushstate, so you can't call history.pushstate to cross-domain URL

3, it will respond to the page innerHTML

Theoretically this is safe, but if you have any open redirects, this XSS will exist because history.pushstate Open is the same domain for jquery mobile

On February 8, 2017, the author tried to contact the JQuery Mobile team and said: "We think this is an open redirect vulnerability, not the vulnerability they get when locks are made, and are not going to be updated,

If the update destroys an existing app, it means that the patch will not be updated.

Test URL:http://jquery-mobile-xss.appspot.com/#/redirect?url=http://sirdarckcat.github.io/xss/img-src.html

Test code:

main.py

Importwebapp2classMainHandler (webapp2. RequestHandler):defGet (self):#Pylint:disable-msg=invalid-name    """Handle GET requests."""Self.response.write ("""<link rel= "stylesheet" href= "Https://code.jquery.com/mobile/1.4.5/jquery.mobile-1.4.5.min.css"/>< Script src= "https://code.jquery.com/jquery-1.11.1.min.js" ></script><script src= "https:// Code.jquery.com/mobile/1.4.5/jquery.mobile-1.4.5.min.js "></script>""")classRedirecthandler (webapp2. RequestHandler):defGet (self):"""Handle GET requests."""self.redirect (str (Self.request.get ("URL")) APP=webapp2. Wsgiapplication ([('/redirect', Redirecthandler), ('/.*', MainHandler),], debug=true)

App.yaml

application:jquery-mobile-11threadsafe:yeshandlers:-url:/.*  script:main. Applibraries:- name:webapp2  "2.5.2"

From a security practitioner's point of view: This XSS vulnerability exists for each use of jquery Mobile and the opening of redirects.

Also worth mentioning is that if you use the random number SCP policy, but still can also through how to bypass CSP nonces with DOM XSS?? For stealing.

Time graph for jquery mobile in stack overflow:

Working with Charts:

Summarize:

1. If your project does not require an open redirect, you can try to close it

2. Based on veteran drivers ' experience, Open redirects is a very common mistake and can also be considered a generic vulnerability (which has some interesting poses), whether or not jquery mobile does not think this is a loophole, However, this XSS vulnerability exists for security practitioners.

The 3.jQuery Mobile Team also recommends using their development documentation for reading and development. Link

Vulnerability Eduardo Vela (Sirdar Kcat)

Original: http://sirdarckcat.blogspot.com/2017/02/unpatched-0day-jquery-mobile-xss.html

[0day]jquery Mobile XSS