9

I was using Burp Suite for some testing and I noticed that they included the following string:

\";alert('XSS');//

as an attack string for an XSS payload.

How could this string be used to execute a XSS attack?

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
Abe Miessler
  • 8,155
  • 10
  • 44
  • 72

3 Answers3

15

In this case the first \ is escaping an escape to provide attacker with a un-escaped double-quote:

var x="\\";alert('XSS');//"

This is assuming the target application has a broken escape routine.

rook
  • 46,916
  • 10
  • 92
  • 181
6

The purpose of the string is to test if JavaScript injection is possible. It will not do harm itself, only show an alert box with the message "XSS" which would mean that you successfully injected the website with some JavaScript. Then, an attacker could inject any JS to perform an XSS attack.

Simon
  • 3,182
  • 4
  • 26
  • 38
1

I am not sure about this scenario, but think of it like this.

The application is providing, a javascript an input from what the user provided.

Like

<script>


somecode

"some value the user input here"
alert('XSS');//

</script>

In that situation, the Script tags are not necessey, but only the code will work as an XSS. For such a situation, the code \";alert('XSS');// will be neccessary. Just sharing a thought.