labs / tiddlers / content / labs / lab13 / _Labs_13_XSS

AJAX templating techniques such as those that Vue is using (when you use the double braces to insert content into a page) have a natural resilience to XSS injection since they operate directly on the browser's document domain model using the functions provided by the DOM (Document Object Model) API rather than concatenation. AJAX clients are still susceptible to XSS flaws though, so we need to test just how vulnerable our users are.

We can quickly test this by creating a customer and a product that are primarily made up of <script> tags.

The following script tag will pop up an alert box:


Insert this into any column that is a varchar (enter valid values for other columns). Enter normal values (not script tags) for any values that will be used as path parameters in web service operations (such as the product ID, category, and username) since the '/' character in the closing script tag will be interpreted as a path separator, and break your service calls.

We are using a number (111) to avoid any weird escaping of quote marks that may occur.

Add a customer and a product to your database where all of the string values use the above script tag.

Add the customer via the register page since the password hashing will only be done if we create a customer properly. For the products, you can use the H2 console by querying the table, and then hitting the <

> button that appears at the bottom of the result.

Once you have done this, test your entire web application. If you see any alert boxes with the 111 number appear then we have problems since we have a vector for malicious users to insert JavaScript that our client will execute. As mentioned, Vue is fairly immune to XSS attacks, so you should not be seeing any alerts.