0

Is it possible to inject and execute javascript in the following context? Or terminate the JavaScript string?

  • The URL is inserted into a JavaScript string (double-quote delimited)
  • The URL is URL encoded by the browser and not the server side. (for simplicity, only using Firefox and Chrome)
  • The URL is never decoded (either in JavaScript or the back end)

Example:

var baseURL = "http://example.com/?[USER CONTROLLED INPUT]";

Note that one may cause a unterminated string literal JavaScript error by providing a string that ends in "\". Assume this error does not impact other use of user input.

Note: Browser URI encoding currently varies.

Given the following URL:

example.com?!*'();:@&=+$,/?[]"%-.<>\^_`{|}~#

  • FireFox 27.01 submits:

    http://example.com/?!*%27%28%29;:@&=+$,/[]%22%-.%3C%3E\^_%60{|}~#

  • Chromium 32.0 submits:

    http://example.com/?!*%27();:@&=+$,/?[]%22%-.%3C%3E\^_`{|}~#
Improve this question
3
  • 1
    I doubt that the # is actually submitted. :) Commented Mar 13, 2014 at 21:45
  • If [USER CONTROLLED INPUT] is being outputted by your server, then yes, it's possible for a user to input ";alert('foobar');_ = " to alert "foobar" without breaking the code. If it is instead being built by javascript, then no it won't break, unless it's used to generate html. Commented Mar 13, 2014 at 21:50
  • Gumbo: you are technically correct. The best kind of correct. Kevin: The user's special characters are url-encoded by the browser. The result is: "example.com/?%22;alert(%27foobar%27);_%20=%20%22";" While it may be a messy string, it is not javascript injection. Commented Mar 13, 2014 at 22:19

1 Answer 1

Reset to default
1

If this is the only injection point then I have to agree with your assumption that the only damage one could do is an unterminated JavaScript string literal.

However, if there are multiple injection points, i. e., three or more, in one single line like this:

var x = "[USER CONTROLLED INPUT]", y = "[USER CONTROLLED INPUT]", z = "[USER CONTROLLED INPUT]";

It would be possible to inject JavaScript code:

x = \
y = +alert(1)+
z = //

As this would result in:

var x = "\", y = "+alert(1)+", z = "//";

It’s required that the injection points are all in one line as JavaScript doesn’t allow literal line breaks in string literals.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.