How to find and fix jQuery vulnerabilities
Although it's not inherently insecure as a framework, jQuery is not secure by default. In fact, it can introduce insecure coding practices. Back when browsers such as Internet Explorer 6 (and their non-standardized APIs) were still prevalent, jQuery followed the logic that stated that anything appearing as an HTML should be considered HTML code; anything in a developer's content that didn't appear to be HTML would be treated as a selector.
Unfortunately, websites often search for elements by selectors but rely on non-trusted data in the process, inviting bad actors to fool jQuery into replacing the "find element" operation with a "create new element" operation by injecting HTML code into a selector.
Why is outdated jQuery still so prevalent?
Despite having been launched more than 15 years ago, jQuery has outlasted every other technology from the early Web 2.0 era. A large part of the reason for jQuery's continued usage relates to WordPress. jQuery is embedded into WordPress, which means that plenty of modern developers have no idea that they are working with jQuery in the first place.
Outdated jQuery versions are still prevalent for additional reasons, such as:
- Backwards compatibility: jQuery is designed to be backwards-compatible, meaning that new versions of the library are designed to work with older code. While this makes it easier for developers to update their code, it also means that developers may be unaware that they are using an outdated library, and thus may not see the need to update their jQuery version.
- Lack of awareness on behalf of developers: many developers may be unaware that a newer version of jQuery is available, or they may not realize the importance of keeping their libraries regularly up to date.
- Time: updating libraries can be extremely time-consuming.
- Dependency: some web applications may be dependent on specific versions of jQuery, which makes it difficult to update the library without breaking the application.
- Cost: especially for large web applications or enterprise systems, updating a jQuery library can be a huge expense.
- Legacy systems: some websites and applications may be using old systems that are no longer supported and updating jQuery may not be a priority for the developers or the organization.
As we mentioned earlier, running outdated versions of jQuery can invite cross-site scripting - or XSS - vulnerabilities in your web applications. These vulnerabilities, rather than impact an application itself, instead impact a website's users by injecting malicious content. Exploitation methods allow bad actors to compromise user identities stored in an application and redirect website traffic.
How do I know if I am are running any jQuery libraries with known vulnerabilities?
To protect your web application against the above jQuery vulnerabilities, you need to know if jQuery is installed, and if you are using an outdated library.
If you are in a security role without access to the web application’s code repository, you can check if jQuery is installed via your browser. For example, you can use Chrome to see the source code when viewing the web app as a client. jQuery may be identified by searching within this context. Development teams can search for jQuery libraries directly in their web app’s code repository.
To check your jQuery libraries against known vulnerabilities, you can check the software version against the MITRE CVE database to see if any known vulnerabilities exist. To simplify this process, many organizations use a vulnerability scanner.
However, while vulnerability scanning tools can simplify the process of detecting jQuery vulnerabilities, they do not paint a full picture of your attack surface. Vulnerability scans often include distracting false positives, without addressing the risks that are most relevant for your organization.
How to update to the latest version of jQuery?
Updating to the latest version can be a challenge for some organizations who rely heavily on their web application for revenue but have not updated old libraries for a long time. We definitely recommend doing this type of upgrade in a test environment first, and prioritizing updates by the rampancy of jQuery exploits available. For an immediate reassurance, penetration testing can also be a good way to validate if existing security controls are adequately protecting the organization from issues in the short term.
How to fix jQuery vulnerabilities
It's important to have a maintenance plan that includes regularly reviewing and updating your dependencies, including jQuery. Outpost24 can help you find these vulnerabilities, among many other potential threats. By combining automated application scanning, with manual pen testing, our Pen Testing as a Service (PTaaS) continuously monitors your web application, and keeps you protected against the latest vulnerabilities. All remediation efforts can be validated by our experienced security experts, reassuring you that the development team is resolving issues fully, without introducing new problems.
Our vulnerability reports guarantee zero false positives, and include risk classifications to help you prioritize your remediation efforts. These reports can also be distributed to key stakeholders outside of the development team for additional transparency.
Speak with our security experts today for more information about our PTaaS.