jQuery 3.5.0 Released! | Official jQuery Blog
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
The bugs are regsited as CVE-2020-11022 and CVE-2020-11023:
https://github.com/advisories/GHSA-gxr4-xjj5-5px2
https://github.com/advisories/GHSA-jpcq-cgw6-v4j6
In this article, I'd like to explain the bugs' details.
Overview of Problems
The application which has the following features is affected:
- The application allows users to write any HTML (but it is sanitized)
- The application dynamically appends the sanitized HTML with jQuery
The following code is an example of a such application:
<div id="div"></div>In this situation, if the sanitization is performed properly, it looks like that usually XSS does not occur since it just appends the sanitized safe HTML. However, actually,
<script>
//Sanitized safe HTML
sanitizedHTML = '<p title="foo">bar</p>';
//Just append the sanitized HTML to <div>
$('#div').html(sanitizedHTML);
</script>
.html()
does the special string processing internally and it caused XSS. This is the issue which I'll explain in this article.PoCs
There are many variations but I'll show basic three PoCs. Usually, JavaScript is not executed from the following HTMLs:
PoC 1.
<style><style /><img src=x onerror=alert(1)>
PoC 2. (Only jQuery 3.x affected)
<img alt="<x" title="/><img src=x onerror=alert(1)>">
PoC 3.You might think there is an img tag which has an onerror attribute, but if you check carefully, actually, it is placed in the attribute or inside of the style element, you will notice that it is not executed. So, even if those HTMLs are generated by an HTML sanitizer as the sanitized HTML, it is not unnatural at all.
<option><style></option></select><img src=x onerror=alert(1)></style>
However, in all cases, if the HTML is appended via jQuery
.html()
, JavaScript is executed unexpectedlly.You can test each PoC in:
https://vulnerabledoma.in/jquery_htmlPrefilter_xss.html
Next, I'll explain why it happens.
CVE-2020-11023: Root cause (PoC 1,2)
The PoC 1 and 2 have the same root cause. Within the
.html()
, the HTML string passed as the argument is passed to the $.htmlPrefilter() method. The htmlPrefilter
performs the processing for replacing the self-closing tags like <tagname />
to <tagname ></tagname>
, by using the following regex:rxhtmlTag = /<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:-]+)[^>]*)\/>/giIf the PoC 1's HTML passes through this replacement, the output will be:
[...]
htmlPrefilter: function( html ) {
return html.replace( rxhtmlTag, "<$1></$2>" );
}
> $.htmlPrefilter('<style><style /><img src=x onerror=alert(1)>')The yellow part is the replaced string. Due to this replacement, the
< "<style><style ></style><img src=x onerror=alert(1)>"
<style />
inside the style element is replaced to <style ></style>
and as the result, the string after that is kicked out from the style element. After that, the .html()
assigns the replaced HTML to innerHTML
. Here, the <img ...>
string becomes an actual img tag and it fires the onerror event.By the way, the above regex is used in jQuery before 3.x. Since 3.x, another regex which is a bit modified is used:
https://github.com/jquery/jquery/commit/fb9472c7fbf9979f48ef49aff76903ac130d0959#diff-169760a97de5c86a886842060321d2c8L30-R30
rxhtmlTag = /<(?!area|br|col|embed|hr|img|input|link|meta|param)(([a-z][^\/\0>\x20\t\r\n\f]*)[^>]*)\/>/gi
This change introduced another XSS vector which can cause XSS by more basic elements and attributes only. The PoC 2's vector is introduced by this change. It works on jQuery 3.x only.
> $.htmlPrefilter('<img alt="<x" title="/><img src=x onerror=alert(1)>">')In this case, the <img ...> string on the attribute's value is kicked out and XSS happens.
< "<img alt="<x" title="></x"><img src=x onerror=alert(1)>">"
I explained the root cause of PoC 1 and 2. How did the jQuery team fix this?
The Fix (PoC 1,2)
$.htmlPrefilter()
method to an identity function. Therefore, the passed HTML string is no longer modified by the htmlPrefilter
function now.https://github.com/jquery/jquery/commit/90fed4b453a5becdb7f173d9e3c1492390a1441f#diff-169760a97de5c86a886842060321d2c8L201-R198
However, this did not solve all XSS issues. Inside the
.html()
, another string processing is performed and introduces another problem (PoC 3).CVE-2020-11022: Root cause (PoC 3)
.html()
, if the tag that appears at the beginning of the HTML which is passed as an argument is one of specific tags, jQuery tries to wrap it with another tag once and do the next processing. This is because some tags are automatically removed due to the HTML's specification or browser's bug if there is no wrapping processing.The opiton element is one of such elements - in MSIE9, due to its bug, the option element is automatically removed when it is assigned to
innerHTML
, if it is not wrapped with the select element.To deal with this, jQuery tries to wrap the entire passed HTML string including that element with the
<select multiple='multiple'>
and </select>
if the passed HTML string's first element is the option element.https://github.com/jquery/jquery/blob/3.4.1/src/manipulation/wrapMap.js#L9
The actual wrapping processing is done in:
https://github.com/jquery/jquery/blob/d0ce00cdfa680f1f0c38460bc51ea14079ae8b07/src/manipulation/buildFragment.js#L39
The issue of PoC 3 happens via this wrapping processing. If the PoC 3's HTML passes through this wrapping processing, the HTML will be:
<select multiple='multiple'><option><style></option></select><img src=x onerror=alert(1)></style></select>When this HTML is assigned to
innerHTML
in the jQuery's internal code, JavaScript is executed.The reason why the script is executed is in the
<select>
tag's parsing.The <select>
does not allow putting HTML tags except the option, optgroup, script and template element inside that element. Due to this specification, the inserted <style> is just ignored, the </select>
inside the <style>
becomes an actual select element's closing-tag, and then <select>
block is closed there. Eventually, the next <img ...>
is kicked out from the <style>
and the onerror event fires -> XSS. This was the root cause.The Fix (PoC 3)
jQuery Team fixed this issue by applying the wrapping procesing to MSIE9 only.
https://github.com/jquery/jquery/commit/966a70909019aa09632c87c0002c522fa4a1e30e#diff-51ec14165275b403bb33f28ce761cdedR25
MSIE9 is not vulnerable to this issue because MSIE9's
<select>
parsing is a bit special (yes, it's wrong). Therefore, applying the wrapping processing to MSIE9 only can solve this problem.For your information, these issues exist not only in
.html()
, but also in .append()
, $('<tag>')
etc. Basically, the issue happens via the APIs in which the $.htmlPrefilter()
method or wrapping processing is used internally.Update it
If your application is appending the sanitized HTML via the jQuery functions, you should update to 3.5.0 or higher. If an updating is hard in some reason, I recommend sanitizing the HTML by using DOMPurify, which is XSS sanitizer. DOMPurify has a
SAFE_FOR_JQUERY
option and it can sanitize with considering the jQuery's behavior. You can use that, like this:<div id="div"></div>Note that DOMPurify had the bypass in
<script>
unsafeHtml = '<img alt="<x" title="/><img src=x onerror=alert(1)>">';
var sanitizedHtml = DOMPurify.sanitize( unsafeHtml, { SAFE_FOR_JQUERY: true } );
$('#div').html( sanitizedHtml );
</script>
SAFE_FOR_JQUERY
recently. Please make sure that you use 2.0.8 or higher.In the end
I started to investigate this issue from XSS challenge by @PwnFunction:
https://xss.pwnfunction.com/challenges/ww3/
Actually, the some of these bugs were known and it was the expected solution of this challenge. (You can find that fact in the DOMPurify's change log. It was already known in 2014 at least and DOMPurify has the
SAFE_FOR_JQUERY
option since 2014. )With the challenge as a trigger, I started to read jQuery's source code again and I noticed another vector (PoC 2), which is not mentioned publicly. Since this vector can allow XSS with the easy elements and attributes only, I thought many applications are vulnerable. When I actually investigated it, I found some vulnerable apps immediately. I reported it to the developer of the affected applications, at the same time I thought that this issue should be fixed by jQuery side, so I decided to report this to jQuery team. The jQuery team were quick to address the issues, even though they had to make breaking changes. Thank you jQuery team. Also, thanks to @PwnFunction, the creator of the XSS challenge, who gave me an opportunity to investigate this issue.
That's it. I hope this article helps for securing your web application or finding bugs.
nice post :D
ReplyDeletegood post
ReplyDeleteHC05,HC06
ReplyDeleteBM77
Bluetooth Modules
ReplyDeleteWiFi Modules
Beacons
Development Board
Bluetooth Adapter
Beacon
ReplyDeleteBluetooth Beacon
long range beacon
waterproof beacon
Mini beacon
USB powered beacon
rechargeable beacon
long range beacon
Nice post
ReplyDeleteThanks for sharing, this article is very insightful and useful for student looking for java programming help, keep sharing more.
ReplyDeleteSo delighted to have visit this amazing blog, very much excited to have read through your page, really appreciate you for this fantastic reads, I definitely liked every part of it and I look forward to reading new article information in your site. Thanks for sharing. SSU departmental cut off mark
ReplyDeletehello
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
Deletebaby
ReplyDeletebd
ReplyDeletemmm
ReplyDeletegg
ReplyDeletesome helpless applications right away. Do My Essay announced it to the engineer of the impacted applications, simultaneously felt that this issue ought to be fixed by jQuery side.
ReplyDeleteThere is always need of Essay writing services across the globe being the sociology student I was assigned Essay Assignment which had a very short deadline so I needed someone to Do my Essay in order to do the same I needed Essay help from the experts I tried for Greatassignmenthelper.com they are great in their high quality content and on time submission.
ReplyDeleteInteresting novel
ReplyDeleteLonely Days by Bayo Adebowale summary
Your blogs are great.Are you also searching for Nursing assignment writers ? we are the best solution for you. We are best known for delivering great nursing assignments.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteCVE-2020-11022 says affected versions are from 1.2 and
ReplyDeleteCVE-2020-11023 says affected versions are from 1.0.3
How can we deteremine which versions are affected by this vulnerability? Should we track down to regex function? or without htmlPrefilter function it should be fine? If the second case is correct, htmlPrefilter has been used since 1.12.0.
Also if regex is the problem, quickExpr has been used from 1.4.0 but there has been regex function from version 1.0.1.
With 4G+, MTN can deliver speeds of up to 200 Mbps. This will translate to even much faster downloads, a better streaming experience, and even clearer video calls on MTN's 4G LTE network. Learn how to upgrade MTN 3G SIM to 4G LTE fast.
ReplyDeleteTop War is an innovative strategy game featuring merge to upgrade gameplay, no more long upgrade waiting times, just download the new version of top war game modded apk and play until you get tired.
ReplyDeleteThis hat file download link helps you download the ha tunnel plus vpn config file for unlimited free browsing.
ReplyDeleteI have enjoyed your blog a lot and I will surely suggest the gel you are using to my girlfriend. My girlfriend is also a hairstylist and she is very good at it. And I will share your blog with her as the steps shared in it are so mesmerizing. And yes, apart from this can you tell me that where can I find the best buy IT thesis service provider? This is because I have loads of assignments and I cannot complete them on my own. I will wait for your response.
ReplyDelete총판출장샵
ReplyDelete총판출장샵
총판출장샵
고고출장샵
심심출장샵
남양주콜걸
의정부콜걸
제천콜걸
횡성콜걸
충주콜걸
Your blogs are great. Self motivation in Tamil
ReplyDeleteWow it's a very good post. The information provided by you is really very good and very informative.
ReplyDeleteWedding Venues Alberta
motivational blog post.
ReplyDeleteAccess Bank Live Chat Whatsapp – Faster Response for Access Bank Users
It’s really a nice and useful piece of information. I am glad that you shared this useful information with us. Please keep us to date like this .thank you for sharing
ReplyDeleteley de divorcio en virginia
bankruptcy atty near me
Nice post thanks for sharing
ReplyDeleteTech
Great writup.. Keep it up!
ReplyDeletenice websites
ReplyDeleteLoans & App
It’s really a nice and useful piece of information. I am glad that you shared this useful information with us. melasma treatment mississauga on
ReplyDeleteThanks for your beautiful blog sharing for us and I gained more information about this. Conference Hall
ReplyDeleteThe information provided by you is really very good and very informative.
ReplyDeleteBell's Palsy Mississauga
The Fix" is a term that can refer to various things depending on the context. It is often used to describe solutions or improvements made to correct issues or Abogados de Disputas Contractuales Cerca Míproblems in different areas, such as technology, software, personal matters, or substance abuse recovery. Without specific context, it's essential to clarify the particular "Fix" you're referring to truck accident lawyer.
ReplyDeleteDear Masato-san, I am a security researcher in Taiwan and have been grateful to your many knowledge sharing in your blogs. I am going to give a talk about security in Tokyo on Nov 27, in particular, one Japan public sector website is vulnerable to this CVE that you discovered. If you are in town, come join us! https://event-entry.net/akamai/techday/2023/, so that I can thank you in person.
ReplyDeleteGenerate QR codes with ease using the Free QR Code Generator provided by qrgateway.com. It's a quick and efficient way to create custom QR codes.
ReplyDeleteIn this present circumstance, assuming the sterilization is performed appropriately, it seems to be that normally XSS doesn't happen since it simply attaches the disinfected safe HTML. Nonetheless, as a matter of fact, .html() does the exceptional string handling inside and it caused XSS. This is the issue which I'll make sense of in this article.
ReplyDeletechapter 7 bankruptcy near me
lawyers near me bankruptcies
lasik surgery Texas offers a popular option for vision correction, using advanced laser technology to reshape the cornea and improve eyesight. Many reputable clinics and experienced surgeons are available in major cities like Dallas, and Austin. The procedure is relatively quick, typically taking less than 30 minutes, and has a high success rate.
ReplyDeleteMost patients experience significantly improved vision within 24 hours. Texas residents considering LASIK should ensure their surgeon is board-certified and check for patient reviews. Additionally, it's important to discuss potential risks and benefits with the surgeon during a consultation to determine if LASIK is the right choice for them.
Debug your code with ease! Just as a fine fragrance from perfumes in Pakistan can freshen up your day, resolving coding bugs can clarify your code and boost productivity. Identify and fix errors with precision and get back to coding with confidence. Clean code, clear mind.
ReplyDeleteCVE-2020-11022/CVE-2020-11023: jQuery 3.5.0 Security Fix Details reviews critical vulnerabilities in jQuery 3.5.0, where attackers could exploit cross-site scripting (XSS) flaws. The article explains how the fixes address unsafe HTML handling, significantly enhancing user security. It’s a must-read for developers needing to secure applications reliant on jQuery. Reckless Driving Lawyer Smyth VA
ReplyDeleteLooking to stay updated on marble prices in Pakistan Check out this detailed guide to find the best deals and compare rates across various marble types. Whether you're planning a renovation or simply exploring options, knowing the latest prices can help you make a smart choice!
ReplyDelete