Current latest version of jQuery (3.7.1) prototype pollution

[halfluke]

Hello,

I am no good at all with JavaScript, but I noticed that several of your payloads work with jQuery current version - in fact it's mentioned "jQuery all versions". However, other sources state that there are no known vulnerabilities for jQuery 3.7.1. How is that possible, if both DOMInvader and payloads from here work on my target using version 3.7.1? Should a CVE be submitted? Has jQuery decided to "not fix"? I am a bit lost here. Thanks.

[halfluke]

Any suggestions? I am still wondering why there are no CVEs for prototype pollution in recent, even current version of jQuery, when it's clear from your POCs (and the finding in my latest pentest that I cannot of course disclose), that exploitable prototype pollution still exists. Also, I have traced the innerHTML sink in jQuery 3.7.1 min, but I am not a JS expert and I do not know xactly which jQuery feature/function is affected. At the moment I can only suggest the client not to use jQuery at all.

[BlackFan]

Hello,

The prototype pollution script gadget itself is not a vulnerability. Without the ability to define values in an Object's prototype, it cannot be used, so developers do not fix this behavior.

You need to find a vulnerable function that unsafely converts location.search variables into an object and replace it with a safe one.

[halfluke]

Wait a second.. what am I missing here? From what I understood, PP cannot always be exploited, but if it can, it is a vulnerability. In my case I can trigger an alert with one of the payloads. It's an xss. If I provide the full URL with the payload to the victim and they click it, it triggers an xss and in theory I can have their session token exfiltrated, or other actions executable via JS. I am just not sure exactly which function is affected because I am not that good with JS, although I have traced the code. What am I missing? Are you suggesting that the vulnerable function is NOT in jQuery, so it's not a jQuery problem? In Dom Invader the stack trace points to a couple of "anonymous" then directly to jQuery.

[rootxharsh]

What am I missing? Are you suggesting that the vulnerable function is NOT in jQuery.

Yes. As @BlackFan mentioned, you've to find a vulnerable function that converts location.search/hash into object thus allowing prototype pollution. You found that function in some other code and now utilising this gadget to convert that pollution into XSS.

[halfluke]

Ahhh I see, thank you! So now the problem for me is to trace/find the actual vulnerable function :-(

[halfluke]

thanks again.