TL;DR - Any website that uses jQuery Mobile and has an open redirect is now vulnerable to XSS - and there's nothing you can do about it, there's not even patch ¯\_(ツ)_/¯ .
jQuery Mobile is a cool jQuery UI system that makes building mobile apps easier. It does some part of what other frameworks like Ember and Angular do for routing. Pretty cool, and useful. Also vulnerable to XSS.
While researching CSP bypasses a few months ago, I noticed that jQuery Mobile had this funky behavior in which it would fetch any URL in the location.hash and put it in innerHTML. I thought that was pretty weird, so decided to see if it was vulnerable to XSS.
Turns out it is!
The summary is:
- jQuery Mobile checks if you have anything in location.hash.
- If your location.hash looks like a URL, it will try to set history.pushState on it, then it will do an XMLHttpRequest to it.
- Then it will just innerHTML the response.
Thanks for reading, and I hope you liked this! If you have any comments please comment below or on Twitter. =)