How could the string \";alert('XSS');// be used for XSS?

Question

I was using Burp Suite for some testing and I noticed that they included the following string:

\";alert('XSS');//

as an attack string for an XSS payload.

How could this string be used to execute a XSS attack?

score 15 · Accepted Answer · answered Jul 31 '13 at 01:05

15

In this case the first \ is escaping an escape to provide attacker with a un-escaped double-quote:

var x="\\";alert('XSS');//"

This is assuming the target application has a broken escape routine.

answered Jul 31 '13 at 01:05

rook

46,916
10
92
181

score 6 · Answer 2 · answered Jul 31 '13 at 00:42

The purpose of the string is to test if JavaScript injection is possible. It will not do harm itself, only show an alert box with the message "XSS" which would mean that you successfully injected the website with some JavaScript. Then, an attacker could inject any JS to perform an XSS attack.

score 1 · Answer 3 · answered Jul 31 '13 at 10:04

I am not sure about this scenario, but think of it like this.

The application is providing, a javascript an input from what the user provided.

Like

<script>


somecode

"some value the user input here"
alert('XSS');//

</script>

In that situation, the Script tags are not necessey, but only the code will work as an XSS. For such a situation, the code \";alert('XSS');// will be neccessary. Just sharing a thought.

How could the string \";alert('XSS');// be used for XSS?

3 Answers3