Use backticks (`) in all XSS payloads

(Single-quotes mess with NoSQL queries)

data/static/challenges.yml

@@ -519,31 +519,31 @@
 -
   name: 'XSS Tier 1'
   category: 'XSS'
-  description: 'Perform a <i>DOM</i> XSS attack with <code>&lt;iframe src="javascript:alert(&apos;xss&apos;)"&gt;</code>.'
+  description: 'Perform a <i>DOM</i> XSS attack with <code>&lt;iframe src="javascript:alert(`xss`)"&gt;</code>.'
   difficulty: 1
   hint: 'Look for an input field where its content appears in the HTML when its form is submitted.'
   hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/xss.html#perform-a-reflected-xss-attack'
   key: localXssChallenge
 -
   name: 'XSS Tier 2'
   category: 'XSS'
-  description: 'Perform a <i>persisted</i> XSS attack with <code>&lt;iframe src="javascript:alert(&apos;xss&apos;)"&gt;</code> bypassing a <i>client-side</i> security mechanism.'
+  description: 'Perform a <i>persisted</i> XSS attack with <code>&lt;iframe src="javascript:alert(`xss`)"&gt;</code> bypassing a <i>client-side</i> security mechanism.'
   difficulty: 3
   hint: 'Only some input fields validate their input. Even less of these are persisted in a way where their content is shown on another screen.'
   hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/xss.html#perform-a-persisted-xss-attack-bypassing-a-client-side-security-mechanism'
   key: persistedXssChallengeUser
 -
   name: 'XSS Tier 3'
   category: 'XSS'
-  description: 'Perform a <i>persisted</i> XSS attack with <code>&lt;iframe src="javascript:alert(&apos;xss&apos;)"&gt;</code> without using the frontend application at all.'
+  description: 'Perform a <i>persisted</i> XSS attack with <code>&lt;iframe src="javascript:alert(`xss`)"&gt;</code> without using the frontend application at all.'
   difficulty: 3
   hint: 'You need to work with the server-side API directly. Try different HTTP verbs on different entities exposed through the API.'
   hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/xss.html#perform-a-persisted-xss-attack-without-using-the-frontend-application-at-all'
   key: restfulXssChallenge
 -
   name: 'XSS Tier 4'
   category: 'XSS'
-  description: 'Perform a <i>persisted</i> XSS attack with <code>&lt;iframe src="javascript:alert(&apos;xss&apos;)"&gt;</code> bypassing a <i>server-side</i> security mechanism.'
+  description: 'Perform a <i>persisted</i> XSS attack with <code>&lt;iframe src="javascript:alert(`xss`)"&gt;</code> bypassing a <i>server-side</i> security mechanism.'
   difficulty: 4
   hint: 'The "Comment" field in the "Contact Us" screen is where you want to put your focus on.'
   hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/xss.html#perform-a-persisted-xss-attack-bypassing-a-server-side-security-mechanism'

data/static/xchallenges.yml

@@ -9,7 +9,7 @@
 -
   name: 'XSS Tier 5'
   category: 'XSS'
-  description: 'Perform a <i>persisted</i> XSS attack with <code>&lt;iframe src="javascript:alert(&apos;xss&apos;)"&gt;</code> through an HTTP header.'
+  description: 'Perform a <i>persisted</i> XSS attack with <code>&lt;iframe src="javascript:alert(`xss`)"&gt;</code> through an HTTP header.'
   difficulty: 4
   hint: 'Finding a piece of displayed information that could originate from an HTTP header is the part of this challenge.'
   hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/xss.html#perform-a-persisted-xss-attack-through-an-http-header'

frontend/src/app/search-result/search-result.component.spec.ts

@@ -129,7 +129,7 @@ describe('SearchResultComponent', () => {
   }))
 
   it('should notify socket if search query includes XSS Tier 1 payload while filtering table', () => {
-    activatedRoute.setQueryParameter('<iframe src="javascript:alert(\'xss\')"> Payload')
+    activatedRoute.setQueryParameter('<iframe src="javascript:alert(`xss`)"> Payload')
     spyOn(component.socket,'emit')
     component.filterTable()
     expect(component.socket.emit.calls.mostRecent().args[0]).toBe('localXSSChallengeSolved')

frontend/src/app/search-result/search-result.component.ts

@@ -64,7 +64,7 @@ export class SearchResultComponent implements AfterViewInit,OnDestroy {
 
   filterTable () {
     let queryParam: string = this.route.snapshot.queryParams.q
-    if (queryParam && queryParam.includes('<iframe src="javascript:alert(\'xss\')">')) {
+    if (queryParam && queryParam.includes('<iframe src="javascript:alert(`xss`)">')) {
       this.socket.emit('localXSSChallengeSolved', queryParam)
     }
     if (queryParam) {

lib/startup/registerWebsocketEvents.js

@@ -25,7 +25,7 @@ const registerWebsocketEvents = (server) => {
     })
 
     socket.on('localXSSChallengeSolved', data => {
-      if (utils.notSolved(challenges.localXssChallenge) && utils.contains(data, '<iframe src="javascript:alert(\'xss\')">')) {
+      if (utils.notSolved(challenges.localXssChallenge) && utils.contains(data, '<iframe src="javascript:alert(`xss`)">')) {
         utils.solve(challenges.localXssChallenge)
       }
     })

models/feedback.js

@@ -10,7 +10,7 @@ module.exports = (sequelize, { STRING, INTEGER }) => {
       set (comment) {
         const sanitizedComment = insecurity.sanitizeHtml(comment)
         this.setDataValue('comment', sanitizedComment)
-        if (utils.notSolved(challenges.persistedXssChallengeFeedback) && utils.contains(sanitizedComment, '<iframe src="javascript:alert(\'xss\')">')) {
+        if (utils.notSolved(challenges.persistedXssChallengeFeedback) && utils.contains(sanitizedComment, '<iframe src="javascript:alert(`xss`)">')) {
           utils.solve(challenges.persistedXssChallengeFeedback)
         }
       }

models/product.js

@@ -8,7 +8,7 @@ module.exports = (sequelize, { STRING, DECIMAL }) => {
     description: {
       type: STRING,
       set (description) {
-        if (utils.notSolved(challenges.restfulXssChallenge) && utils.contains(description, '<iframe src="javascript:alert(\'xss\')">')) {
+        if (utils.notSolved(challenges.restfulXssChallenge) && utils.contains(description, '<iframe src="javascript:alert(`xss`)">')) {
           utils.solve(challenges.restfulXssChallenge)
         }
         this.setDataValue('description', description)

models/user.js

@@ -9,7 +9,7 @@ module.exports = (sequelize, { STRING, BOOLEAN }) => {
       type: STRING,
       unique: true,
       set (email) {
-        if (utils.notSolved(challenges.persistedXssChallengeUser) && utils.contains(email, '<iframe src="javascript:alert(\'xss\')">')) {
+        if (utils.notSolved(challenges.persistedXssChallengeUser) && utils.contains(email, '<iframe src="javascript:alert(`xss`)">')) {
           utils.solve(challenges.persistedXssChallengeUser)
         }
         this.setDataValue('email', email)

routes/search.js

@@ -6,9 +6,6 @@ module.exports = function searchProducts () {
   return ({ query }, res, next) => {
     let criteria = query.q === 'undefined' ? '' : query.q || ''
     criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200)
-    if (utils.notSolved(challenges.localXssChallenge) && utils.contains(criteria, '<iframe src="javascript:alert(\'xss\')">')) {
-      utils.solve(challenges.localXssChallenge) // FIXME Verification on server side not possible as value never get submitted to it
-    }
     models.sequelize.query('SELECT * FROM Products WHERE ((name LIKE \'%' + criteria + '%\' OR description LIKE \'%' + criteria + '%\') AND deletedAt IS NULL) ORDER BY name')
       .then(([products, query]) => {
         if (utils.notSolved(challenges.unionSqlInjectionChallenge)) {

test/e2e/searchSpec.js

@@ -15,7 +15,7 @@ describe('/#/search', () => {
     it('search query should be susceptible to reflected XSS attacks', () => {
       const EC = protractor.ExpectedConditions
 
-      searchQuery.sendKeys('<iframe src="javascript:alert(\'xss\')">')
+      searchQuery.sendKeys('<iframe src="javascript:alert(`xss`)">')
       searchButton.click()
       browser.wait(EC.alertIsPresent(), 5000, "'xss' alert is not present")
       browser.switchTo().alert().then(alert => {