JQuery Code alert neatly produced by DetectJQuery user script!

polonus · 2015-03-27T00:17:23.000Z

Code JS Query alert on page: meta-header.php - Undefined property: stdClass::$1
PHP Error was encountered when trying to get property of non-object in www wp content content theme nieuws//…///meta-header.php on website: htxp://nieuws.nl/
echo $row->$id; should be changed to echo $row->id; Info credits: newman
db function should be used to fetch results, Info credits Girish

I use DetectJQuery user script with Tampermonkey inside Google Chrome.
There is where this webpage turned up the code alert ;D

See: http://linkeddata.informatik.hu-berlin.de/uridbg/index.php?url=http://nieuws.nl/wp-content/themes/nieuws_hoofd/assets/vendor/jquery/dist/jquery.min.js&acceptheader=&useragentheader=

Update: the alert subsided. Might have been just silenced: http://php.net/manual/en/language.operators.errorcontrol.php

polonus

polonus · 2015-03-27T14:36:25.000Z

My Tampermonkey detectJQuery script alerted me to JQuery version 1.7.2 used on a website
and so I could conclude this version is vulnerable to Selector XSS with class Attribute (‘. XSS_VECTOR’)
cross site scripting attacks, read:
http://domstorm.skepticfx.com/modules?id=529bbe6e125fac0000000003
Nice introduction to the theme and description from Mike Shema here:
http://deadliestwebattacks.com/tag/jquery/

polonus

polonus · 2015-03-27T15:05:21.000Z

On this site I detect jQuery 1.8.2 vulnerabilities → http://webwereld.nl/
and found it vulnerable to malicious javascript code injections, read: http://stackoverflow.com/questions/11169894/can-malicious-javascript-code-be-injected-trough
info credits go to Mahn.
And also found vulnerable here: http://domstorm.skepticfx.com/modules?id=529bbe6e125fac0000000003

polonus

polonus · 2015-03-27T16:47:35.000Z

Just another example here: http://ruwix.com/online-rubiks-cube-solver-program/solution.php?cube=0122211641214526461312335554336644342365352636411465525&x=1
JQuery 1.3.2 enabled Vulnerable version: http://stackoverflow.com/questions/25751829/jquery-cross-site-scripting-what-was-this

polonus

P.S. More outdated software on that particular website: HTTP Server: nginx (Cloudflare)
PHP Version: 5.2.17 (Outdated) → http://www.cvedetails.com/version/106044/PHP-PHP-5.2.17.html

D

polonus · 2015-03-27T23:27:42.000Z

Realizing the jQuery version issues everywhere, I just launched the Online Lint and had some JQuery code from here:
http://www.webpagescreenshot.info/img/5515e61ac6eb29-30626131
JQuery version 1.11.1 and the output of js! Lint Online: http://www.webpagescreenshot.info/img/5515e64d7e4495-32699518 and what should be done to comply with coding standards. → http://javascript.crockford.com/code.html
On that website:
http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fwhisper.pr&useragent=Fetch+useragent&accept_encoding=
we find JQuery versions 1.11.1 and 1.2.1 and again the JQuery versions are almost never updated and reflect the version of the time of creation.

polonus

Donovan · 2015-03-28T00:03:15.000Z

Hi Polonus,

Most website owners don’t have a server script to automatically update jQuery and other libraries. Just viewing the source of a random site I use makes use of a jquery-latest.js, which is actually jQuery 1.6.2, not at all the latest.

There is a recorded vulnerability for jQuery 1.6.3 and below here: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4969 There could be more out there and this does not put the website in a good position, especially if it makes use of potential injection-prone code.

~!Donovan

polonus · 2015-03-28T13:43:22.000Z

Hi !Donovan,

I wonder if this vulnerability described in the following link is still open (well it has been patched at long last): http://webcache.googleusercontent.com/search?q=cache:UGkNI5vxC_UJ:sijmen.ruwhof.net/weblog/256-cross-site-scripting-in-millions-of-web-sites+&cd=3&hl=nl&ct=clnk&gl=nl
They finally fixed this in November 2014: http://www.securityweek.com/developers-fix-xss-vulnerability-jquery-validation-plugin-script
Most vulnerabilties for JQuery are of a Cross Site Scripting nature, well lest other security measures has not been brought into place.

In addition, developers usually use jQuery libraries as a plug-and-play product, which doesn't require maintenance apart from library updates.
Because jQuery libraries are minified and infrequently reviewed by those using them, jQuery becomes a good place to hide malicious code. Such malicious code usually attempts to deliver malware to as many users as possible.

Quote from Ben-Hayak.

Just to show how easy this is to inject JQuery onto any webpage that has not got it, use this bookmarklet

 javascript:var element1=document.createElement("script");element1.src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.4/jquery.min.js";element1.type="text/javascript";document.getElementsByTagName("head")[0].appendChild(element1);

Inspiration for the bookmarklet from http://ww1.tutkiun.com/2010/07/load-javascript-after-pageload.html
Info credits go to: brandonmartinez. (only use bookmarklet on sites you are authorized to)

polonus

Announcements