Is there a good way to address the XSS vulnerability in jQuery (v1.4.3)

Asked 2 years ago, Updated 2 years ago, 47 views

Nice to meet you.

A vulnerability in XSS has been identified by a specialist on the upcoming website.

The content is...

A non-latest version of jQuery is being used.
We recommend using a newer version of jQuery because older versions of jQuery report vulnerabilities such as cross-site scripting.

That's what they said.

The jQuery version of the website is v1.4.3, so it's definitely old.However, I think it is very dangerous to upgrade the version of jQuery easily because if you choose the new version, you will no longer be able to use what you used until now, and the specifications will change and affect the operation of the website screen.

Also, jQuery is frequently upgraded, so I feel it's very unrealistic that we have to replace it with the latest version of jQuery every time we upgrade.

Is there any good way for jQuery to support XSS?
Please give me some advice.

jquery xss

2022-09-29 22:46

3 Answers

A non-latest version of jQuery is being used.
Older versions of jQuery report vulnerabilities such as cross-site scripting...

This point of view refers to a vulnerability in CVE-2011-4969 that exists in versions less than jQuery 1.6.3.XSS due to application code is not pointed out.Depending on the audit content, simple tool diagnostics are definitely not applicable to application codes, and it is not possible to determine if there is a vulnerability caused by the application code.The answers below also do not consider addressing vulnerabilities caused by application codes.

The general principle is

  • Apply security updates as soon as possible
  • Non-security updates should be implemented as appropriate, taking into account changes and development status.

If you leave it in an older version just because it's not a security update, you'll also have to rush through the incompatibility of the version upgrade if a vulnerability is found.To avoid this, you need to follow the latest version to some extent."With that in mind, it is ""appropriate""."

It is important to know which version of vulnerability is addressed if a vulnerability is found now, and how much confirmation or modification is required to update to that version.

However, as an exception to what to do if a security update is released, you should have a thorough understanding of the vulnerability details.

  • You can clearly determine that the attack path does not exist in your environment
  • Apply Trusted Workaround
  • Application code side is taking action

In some cases, you may decide that the update should be delayed to some extent.You should not listen to the opinions and workaround suggestions of people who do not know the environment, as the decision in this case depends on the individual environment.If you are unable to make your own decisions, please follow the principles and update quickly.

I think it is very dangerous to upgrade the version of jQuery easily because if you choose the new version, you will no longer be able to use what you used until now, and the specifications will change and affect the operation of the website's screen.

You are absolutely right on this point.It is only natural that you should consider the need for a version upgrade and verify the operation.

However, the vulnerability pointed out in jQuery 1.4.3 is probably an XSS vulnerability that exists below 1.6.3.This was made public in 2011.1.4.3 will be released in 2010.If you're using a product from 4 years ago and you're neglecting issues from more than 3 years ago, it's far beyond the acceptable level because it's "dangerous to update easily."

Also, jQuery should not have updated the security of jQuery itself since then.Therefore,

I don't think it's realistic that we have to replace the latest version of jQuery with XSS every time we upgrade.

That's beside the point.

Here's another story.

I am very worried about whether everything is okay except for jQuery.Even with HTML+Javascript-only web servers, have you addressed the recent vulnerabilities of big names such as HeartBleed and ShellShock in the OS itself?If the products of ready-made products such as CMS are working, would that be okay?I hate to imagine, but if a non-off-the-shelf (self-made or outsourced) web application seems to be running, do you have a separate security audit specifically for your application?

It's a pretty serious situation to have a vulnerability in jQuery 1.4.3 left unattended on a business-run website and don't know what to do.I don't know what kind of audit you received, but if jQuery is the only one pointed out, I think it's a simple audit that checks the software version and some settings from the outside.If you are doing more than just a static HTML+Javascript website, we strongly recommend that you have a detailed security audit for your system and consult on operations.(If an accident happens badly, you will be held accountable?)


2022-09-29 22:46

The XSS vulnerability is not jQuery's fault.
Depending on how you use it, you can write vulnerable code in any version of jQuery.

If a vulnerability is found in some jQuery plug-in and you try to update the plug-in, I don't think it would be more realistic to try to move it using the old jQuery.

With that in mind, why don't you try to update jQuery as much as possible first?
Gradually move the entire code to the new jQuery, using multiple different versions at the same time.

<script type="text/javascript" src="jquery-1.4.3.js"></script>
<script type="text/javascript">
  varjq_143 = $.noConflict(true);
</script>

<script type="text/javascript" src="jquery-current.js"></script>
<script type="text/javascript">
  varjq_current=$.noConflict();
</script>

<script type="text/javascript">
  // wrap old code with unknown function and overwrite $ with jq_143
  (function($){
    // Use jq_143 for code that might be a problem with updates
    $(function(){
      ...
    });
  })(jq_143);

  // Use jq_current for potential XSS vulnerabilities
  (function($){
    $(function(){
      ...
    });
  }) (jq_current):
</script>


2022-09-29 22:46

I think the answers here will also be helpful.

http://detail.chiebukuro.yahoo.co.jp/qa/question_detail/q13141045628


2022-09-29 22:46

If you have any answers or tips


© 2024 OneMinuteCode. All rights reserved.