Let’s start with what jquery and XSS are.
A cross-site scripting attack (XSS) occurs when a hacker injects malicious code, usually in the form of client-side scripting, into the content of a web page that is seen as benign and trustworthy.
So what does this vulnerability do?
jQuery software used a regex in its jQuery.htmlPrefilter method to ensure that closing tags were XHTML-compliant when passed to methods. The developers behind jQuery described the moderate severity vulnerability as something that only came into play in “edge cases where parsing would have unintended consequences”. The XSS vulnerability resolved last month meant that “passing HTML from untrusted sources – even after sanitizing it – to one of jQuery’s DOM manipulation methods (such as .html(), .append(), and others) may execute untrusted code,” according to the write-up on GitHub.
How to find the Jquery version used?
- First of all, the source code of the page is examined and the jquery version used is found.
- One of the most effective methods is to type this command “console.log($.fn.jquery)” in the developer console.
Mitigation and Remediation
What should be done to protect from JQuery XSS vulnerability in the system?
- If the JQuery version used contains an XSS vulnerability, the current version should be updated to the latest version.
- The JQuery version should be checked frequently to see if there are any vulnerabilities.