JavaScript
A very popular language used to create interactivity on the web, and on the backend using NodeJS
# Related Pages
pageNodeJSCommon Pitfalls
String Replacement
replace
vs replaceAll
replace
vs replaceAll
You might be surprised to see that replace()
doesn't actually replace all the characters it finds, only the first match. Instead, replaceAll()
should be used if you want to replace every occurrence. This can be useful if a developer thinks they sanitized user input with this function, and tested it with only one character, while an attacker can just input one dummy character at the start that will be replaced and afterward continue with the payload unsanitized:
Replacement String Templates
The second argument to replace()
functions determine what should be put in place of the matched part. It might come as a surprise that when this section is user-controlled input, there are some special character sequences that are not taken literally. The following sequences insert a special piece of text instead (source):
Pattern | Inserts |
---|---|
| Inserts a |
| Inserts the matched substring |
| Inserts the portion of the string that precedes the matched substring |
| Inserts the portion of the string that follows the matched substring |
| Inserts the |
| Inserts the named capturing group where |
The $`
and $'
are especially interesting, as they repeat a preceding or following piece of text, which may contain otherwise blocked characters. A neat trick using mentioned here abuses this to repeat a </script>
string that would normally be HTML encoded in the payload:
Filter Bypass
Often alphanumeric characters are allowed in a filter, so being able to decode Base64 and evaluate the result should be enough to do anything while bypassing a filter. Acquiring the primitives to do this decoding and evaluating however can be the difficult part as certain ways of calling the functions are blocked. The simplest idea is using atob
to decode Base64, and then eval
to evaluate the string:
Inside a String
When injecting inside of a JavaScript string (using "
or '
quotes), you may be able to escape certain blocked characters using the following escape sequences with different properties:
\x41
='A'
: Hex escape, shortest! (CyberChef)\u0041
='A'
: Unicode escape, non-ASCII characters too! (CyberChef)\101
='A'
: Octal escapes, numeric-only payload! (CyberChef)
Other than these generic escapes, there are a few special characters that get their own escapes:
Syntax | Meaning |
---|---|
| Backslash |
| Single quote |
| Double quote |
| Backtick |
(0x0a) | New Line |
(0x0d) | Carriage Return |
(0x09) | Horizontal Tab |
(0x0b) | Vertical Tab |
(0x08) | Backspace |
(0x0c) | Form Feed |
When inside template literals (using `
backticks), you can use ${}
expressions to evaluate inline JavaScript code which may contain any code you want to run, or evaluate to any string you need.
Unrelated to strings, you can also use these templates as "tagged templates" to call functions without parentheses:
No alphanumeric characters
Without "
quotes
"
quotesRegExp
objects can be defined by surrounding text with /
slashes, and are automatically coerced into a string surrounded by slashes again. This can become valid executable JavaScript code in a few different ways:
Another common method is using String.fromCharCode()
chains to build out string character-by-character:
Comments
A few different and uncommon ways of creating comments in JavaScript:
Reverse Engineering
Client-side javascript is often minified or obfuscated to make it more compact or harder to understand. Luckily there are many tools out there to help with this process of reverse engineering, like the manual JavaScript Deobfuscator. While manually trying to deobfuscate the code, dynamic analysis can be very helpful. If you find that a function decrypts some string to be evaluated for example, try throwing more strings into that function at runtime with breakpoints.
While doing it manually will get you further, sometimes it's quicker to use automated tools made for a specific obfuscator. The common obfuscator.io for example can be perfectly deobfuscated using webcrack
, as well as minified/bundled code:
Sourcemaps
Bundled/minified code is often hard to read, even with the abovementioned tools. If you're lucky, a website might have published .map
sourcemap files together with the minified code. These are normally used by the DevTools to recreate source code in the event of an exception while debugging. But we can use these files ourselves to recreate the exact source code to the level of comments and whitespace!
Viewing these in the DevTools is easy, just check the Sources -> Page -> Authored directory to view the source code if it exists:
It gets these from the special //# sourceMappingURL=
comment at the end of minified JavaScript files, which are often the original URL appended with .map
. Here is an example:
These exists a tool sourcemapper
that can take a URL and extract all the source code files:
Last updated