1

I have a code like this:

$('.' + InjectionPoint).removeClass('classname');

where InjectionPoint is the part controlled by end user, apparently this code is vulnerable to DOM XSS, but is it really exploitable? and how should an attack vector be like?

Thanks

Improve this question
0

2 Answers 2

Reset to default
4

On what are you basing your belief that "this code is vulnerable to DOM XSS"?

Based on this answer, that was true in older versions of jQuery, but not any version later than 1.6.3: https://stackoverflow.com/a/11170073/877682

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

It was a web security scanner that reported that issue, but I think you are right that it's not exploitable, but aren't there a way to evaluate expressions inside the selector, even just for development purposes
0

This is definitely subject to XSS. Check out this article which describes how an attacker might go about it: https://ttmm.io/tech/jquery-xss/

Basically, the author recommends that you use document.querySelectorAll() instead of the jQuery selector function. Someone commented that this is a non-issue for jQuery 1.7 and above but don't quote me on that.

In general, it's never ever a good idea to trust what your users give you.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.