HAKATEMIA
06XSS Advanced

XSS in JavaScript strings 2

Easy45MIN

In this module, we exploit the XSS vulnerability in the exercise target, so you can start the task below and repeat the steps at your own pace.

Continuing from the previous module's topic. This time, the developers have improved input handling and our previous malicious code no longer works.

Finding Vulnerability

We start by investigating what changes the developers have made, by trying the following combination.

JAVASCRIPT
1'; //

Exactly, the developers have added escaping of quotation marks to the application, so that the JavaScript code treats quotation marks as part of the string. Escaping means using backslashes in situations where you want to use string-breaking characters as part of the string.

The string below contains a single quotation mark and a backslash is used to include it inside the string without breaking the string's definition.

JAVASCRIPT
1const a = '\'';
2// a is equal to '

We continue the analysis by examining how the application treats the backslash, i.e. whether we can escape the backslash. We input the following.

JAVASCRIPT
1\'; //

Great, the application doesn't escape the backslash itself. This means that we can use a backslash before the quotation mark, so in the final JavaScript code, the application will escape our backslash and we can break the string and write our own JavaScript code. However, since the application escapes all the quotation marks we enter, we can't create our own strings in the application and we can't build our malicious code in the usual way. Fortunately, JavaScript has a built-in function called fromCharCode, which allows you to build strings without using quotation marks at all. It works like this.

JAVASCRIPT
1var x = String.fromCharCode(120,115,115);
2/*
3  120 == x,
4  115 == s,
5  115 == p
6  meaning that the fromCharCode function returns us the string xss
7
8*/

With the fromCharCode function, you can construct any string you want. Here you can find a list of characters and their char code values.

To double secure the vulnerability, we will still try to use the mentioned function in creating the alert box.

We create an 'xss' string and save it in the variable x. Then we input variable x into the alert function.

JAVASCRIPT
1\'; var x = String.fromCharCode(120,115,115); alert(x); //

1 / 4
Hakatemia Pro

Learn to hack — start here

Hundreds of interactive courses, virtual labs and CTF challenges in your browser. Start a free trial — no card required.