current community

your communities

more stack exchange communities

Stack Exchange
tour help
careers 2.0
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 0 down vote favorite
1

Is it possible to inject and execute javascript in the following context? Or terminate the JavaScript string?

  • The URL is inserted into a JavaScript string (double-quote delimited)
  • The URL is URL encoded by the browser and not the server side. (for simplicity, only using Firefox and Chrome)
  • The URL is never decoded (either in JavaScript or the back end)

Example:

var baseURL = "http://example.com/?[USER CONTROLLED INPUT]";

Note that one may cause a unterminated string literal JavaScript error by providing a string that ends in "\". Assume this error does not impact other use of user input.

Note: Browser URI encoding currently varies.

Given the following URL:

example.com?!*'();:@&=+$,/?[]"%-.<>\^_`{|}~#

  • FireFox 27.01 submits:

    http://example.com/?!*%27%28%29;:@&=+$,/[]%22%-.%3C%3E\^_%60{|}~#

  • Chromium 32.0 submits:

    http://example.com/?!*%27();:@&=+$,/?[]%22%-.%3C%3E\^_`{|}~#
share|improve this question
1  
I doubt that the # is actually submitted. :) –  Gumbo Mar 13 at 21:45
    
If [USER CONTROLLED INPUT] is being outputted by your server, then yes, it's possible for a user to input ";alert('foobar');_ = " to alert "foobar" without breaking the code. If it is instead being built by javascript, then no it won't break, unless it's used to generate html. –  Kevin B Mar 13 at 21:50
    
Gumbo: you are technically correct. The best kind of correct. Kevin: The user's special characters are url-encoded by the browser. The result is: "example.com/?%22;alert(%27foobar%27);_%20=%20%22";" While it may be a messy string, it is not javascript injection. –  Ben Walther Mar 13 at 22:19

1 Answer 1

up vote 1 down vote

If this is the only injection point then I have to agree with your assumption that the only damage one could do is an unterminated JavaScript string literal.

However, if there are multiple injection points, i. e., three or more, in one single line like this:

var x = "[USER CONTROLLED INPUT]", y = "[USER CONTROLLED INPUT]", z = "[USER CONTROLLED INPUT]";

It would be possible to inject JavaScript code:

x = \
y = +alert(1)+
z = //

As this would result in:

var x = "\", y = "+alert(1)+", z = "//";

It’s required that the injection points are all in one line as JavaScript doesn’t allow literal line breaks in string literals.

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.