jump out of a JS variable encapsulation

I'm reading a boook on XSS attacks, and I've found an example about XSS filter evasion that is a little weird (IMHO).

This is the example text:

Another possible injection point that could exist is when the developer uses unsanitized user input as part of the generated HTML within a script element. For example:

<script> var query_string="<XSS>"; somefunction(query_string); function somefunction { ... } </script>

It appears we have access to the inside of the JavaScript function. Let’s try adding some quotes and see if we can jump out of the encapsulation:

<script> var query_string="”<XSS>"; somefunction(query_string); function somefunction { ... } <script>

It worked, and also caused a JavaScript error in the process as shown in Figure 3.38. Let’s try one more time, but instead of trying to inject HTML, let’s use straight JavaScript. Because we are in a script tag anyway, why not use it to our advantage?

<script> var query_string="”;alert(“XSS”);//"; somefunction(query_string); function somefunction { ... } </script>

the bold text is what I suppose to be the user input, taken for example from a form.

Back to my question: is there any way that this kind of attack works? For example, suppose somefunction(query_string) is used to run some sql query, and query_string is a product name to search within the database. If inside the search function I create sql_query = 'SELECT name FROM table WHERE name = "'+query_string+'"';, I think there's no way to inject some string with quotes to "jump out of the encapsulation", i.e inputting YAY";alert('hi');// will not change the JS to this:

var query_string = [user input, in this case YAY";alert('hi');//]
function abc(query_string){
    sql_query = "select name FROM table WHERE name = 'YAY';
    alert('hi');//
    ....
}

Am I wrong? What do you think? Can you make me a simple example (if it possible) on how this kind of attack can make some sort of damages?

I thought about something like an online shop, but assuming the JS is not used on server side, the only thing this attack can do is modify the query string and then submit it to the server..

Hope you can understand what I wrote and what I'd like to understand, thanks, best regards.

Answers


You should only look at the first line. The rest doesn't come into play in this xss example. It's a badly chosen example. So take this much simple example

var first_name="<XSS>";

In this example <xss> is user generated content. So your e.g. php code looks like this

var first_name="<? echo $firstName; ?>";

$firstName is taken from some database or something else, and was generated by the user who typed it into some textfield. Say the user typed: ";alert("XSS");//. PHP will generate the following code

var first_name="";alert("XSS");//";

Pretty printed:

var first_name="";
alert("XSS");
//";

As you see the user was able to run his code alert("XSS") in every other users browser that visited the page. In this example nothing bad will happen except some alert box, but the user might inject some code that gets the cookie info and sends it to some server, so the attacker can steal someone's login session.

This same problem - forgetting to escape user generated content - also applies for creating sql queries, but this isn't related to this example. The creator of this example should have used query_string in his example, as it is obviously confusing.


Need Your Help

Learning TypeScript with no JavaScript Background

javascript html css web typescript

I'm planning to learn TypeScript, I have enough HTML5, CSS basics, my problem is that I practically never used nor learned JavaScript, how bad is that, should I start learning JavaScript first, or ...

Android traffic game developing

java android game-engine andengine

I'm developing simple traffic educational game like https://market.android.com/details?id=cz.allianz.krizovatky.android . When the player taps on car sprite, it started to move with other cars. If ...