Dangerous Use of Eval

Lesson Plan Title: Dangerous Use of Eval)

Concept / Topic To Teach:
It is always a good practice to validate all input on the server side. XSS can occur when unvalidated user input is reflected directly into an HTTP response. In this lesson, unvalidated user-supplied data is used in conjunction with a Javascript eval() call. In a reflected XSS attack, an attacker can craft a URL with the attack script and store it on another website, email it, or otherwise trick a victim into clicking on it.

General Goal(s):
For this exercise, your mission is to come up with some input which, when run through eval, will execute a malicious script. In order to pass this lesson, you must 'alert()' document.cookie.

Solution:
The value of the digit access code field is placed in the Javascript eval() function. This is the reason why your attack will not require the "<script>" tags.
Enter: 123');alert(document.cookie);('

The result on the server is:

eval('123');
alert(document.cookie);
('');