Link manipulation (DOM-based) - JQuery Mobile
Hi all,
we use jquery.mobile-1.4.5.min.js in our application.
Burp scan found a Link manipulation (DOM-based) vulnerabilitiy in JQuery Mobile sources:
Link manipulation (DOM-based):
Issue detail
The application may be vulnerable to DOM-based link manipulation. Data is read from location.pathname and passed to the 'href' property of a DOM element via the following statement:
e[0 ] .href= g|| location.pathname
from :
return e.length?g=e.attr("href"):e=f=a("<base>",{href:d}).appendTo("head"),b=a("<a href='testurl' />").prependTo(m),c=b[0].href,e[0].href=g||location.pathname,f&&f.remove(),0===c.indexOf(d)
Here is a comment from Burp People:
Could someone tell me if these is a real JQuery Mobile issues and bugs are needed for jquery-mobile or the findings are false positive?
Thanks,
Olga.
we use jquery.mobile-1.4.5.min.js in our application.
Burp scan found a Link manipulation (DOM-based) vulnerabilitiy in JQuery Mobile sources:
Link manipulation (DOM-based):
Issue detail
The application may be vulnerable to DOM-based link manipulation. Data is read from location.pathname and passed to the 'href' property of a DOM element via the following statement:
e[0 ] .href= g|| location.pathname
from :
return e.length?g=e.attr("href"):e=f=a("<base>",{href:d}).appendTo("head"),b=a("<a href='testurl' />").prependTo(m),c=b[0].href,e[0].href=g||location.pathname,f&&f.remove(),0===c.indexOf(d)
Here is a comment from Burp People:
"could potentially be a open redirection if you can inject a custom path. For example://redirect-host.com/
It’s unlikely this happens on most sites since you would hit a 404 for “redirect-host.com” but may work if the site you are testing has the JavaScript on the 404 page for example."
Could someone tell me if these is a real JQuery Mobile issues and bugs are needed for jquery-mobile or the findings are false positive?
Thanks,
Olga.
Topic Participants
olga.togidnyaya
jakecigar