Could anyone explain these XSS test strings?

Question

recently I found this tutorial about XSS and web application security -> https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#XSS_Locator

At the start there are some strings to inject in order to test that a site is vulnerable to xss or not. These strings are:

';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> 

and

'';!--"<XSS>=&{()}

I know the basic concepts of XSS, but here I can't understand why there's that repetition of 'alert(String.fromCharCode(88,83,83))' in the first string and why those //'; //"; //--> comments are needed for (do they mean something special when used in such a way whilesearching for xss bugs?). And in the second string, what is the purpose of the &{()} sequence?

Could anyone exlain me with concrete examples how this two strings should work in order to retrieve an xss bug inside a web app? Cause on the site I linked no explanation is given...

Answer 1

This looks like it's trying several different injections, so I'll try and break them down one at a time:

The First Injection

';alert(String.fromCharCode(88,83,83))//

This injection attempts to terminate a JavaScript string literal (using '), then terminate the statement (with ;) and makes a call to alert(String.fromCharCode(88,83,83)) which will cause a popup box containing "XSS". The following // is an attempt to "comment out" the rest of the statement, so that a syntax error will not occur and the script will execute.

The Second Injection

";alert(String.fromCharCode(88,83,83))//

Like the first injection, but it uses " in an attempt to terminate a JavaScript string literal.

The Third Injection

--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

This attempts to do the following things:

1. Terminate an HTML (or XML) comment (with -->)
2. Terminate an existing <SCRIPT> tag using </SCRIPT>
   • This is done to prevent the injected script causing a syntax error, which would prevent the injected script from executing.
3. Terminate an HTML attribute and tag, using ">
4. Terminate an HTML attribute and tag, using '>
5. Inject JavaScript using <SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

The Fourth Injection

'';!--"<XSS>=&{()}

This is a common string used to test what, if any, filters and/or encoding are being used on user input. Typically, the source of the page after this injection will contain either <XSS or <XSS. If the second is found, the application is most likely not filtering user input (as it allowed the addition of an arbitrary tag) and is likely vulnerable to XSS.

---

To answer your more direct questions:

why there's that repetition of 'alert(String.fromCharCode(88,83,83))'

This is a common "Proof of Concept" function, that will cause a popup box to appear containing "XSS". If this occurs, the injected JavaScript was executed.

why there's that repetition of 'alert(String.fromCharCode(88,83,83))' in the first string and why those //'; //"; //-->

These are used to prevent syntax errors, which can cause the injected JavaScript to fail to execute.