Hello my friends, @bulkneets found an interesting DOM-based XSS in http://jqapi.com ( https://twitter.com/#!/bulkneets/status/156620076160786432 )

The PoC exploit is --> http://jqapi.com/#p=<img src%3D/%20onerror%3Dalert(1)>

The root cause is in the following line in "js/main.min.js"
    a.p && r($('.sub a[href*="/' + a.p + '/"]:first'))

While executing, the value of a.p is <img src%3D/%20onerror%3Dalert(1)>.
jQuery interprets this string as the HTML tag:

  <img src%3d %20onerror%3dalert(1)>

As a consequence, the injected code is executed. BTW, the injected code is the hash, so WAF, firewall and IDS cannot see anything.

Always remember "jQuery is a sink". 


By AegisLab