It looks like he is trying several different injections, so I will try to break them one at a time:
First injection
';alert(String.fromCharCode(88,83,83))//
This injection tries to complete the JavaScript string literal (using ' ), then exit the statement (using ; ) and call alert(String.fromCharCode(88,83,83)) , which will pop up a window containing "XSS". The next // is an attempt to "comment" the rest of the statement, so that the syntax error will not be executed and the script will be executed.
Second injection
";alert(String.fromCharCode(88,83,83))//
Like the first injection, but uses " in an attempt to complete the JavaScript string literal.
Third injection
--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
This tries to do the following:
- End HTML (or XML) comment (using
--> ) - Complete existing
<SCRIPT> tag using </SCRIPT>- This is done to prevent script input that caused a syntax error that would prevent the injection script from executing.
- Complete the attribute and HTML tag using
"> - End attribute and HTML tag using
'> - Embedding JavaScript with
<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
Fourth injection
'';!--"<XSS>=&{()}
This is the usual string used to verify that, if any, filters and / or encoding are used when user input is entered. Typically, the page source after this injection will contain either <XSS or <XSS . If the second is found, the application will most likely not filter user input (since this allowed the addition of an arbitrary tag) and is probably vulnerable to XSS.
To answer your more direct questions:
why is there a repeat of "alert" (String.fromCharCode (88,83,83)) '
This is the usual "Proof of Concept" function, which will pop up a window containing "XSS" If this happens, executable JavaScript has been executed.
why there is a repetition of "alert" (String.fromCharCode (88.83.83)) in the first line and why those // '; // "; // ->
They are used to prevent syntax errors that may lead to JavaScript that cannot be executed.