Quoteless Javascript Injections

In multi reflection scenarios, like we already have seen here, it’s possible to use payloads in such a way that avoid filters and WAFs (Web Application Firewalls) due to the change in the order of its elements.

But in source-based JS injections (those which happen in script blocks) there’s another interesting consequence of having more than one reflection point.

It’s the possibility to break out from delimited strings (single or double quotes) with another character besides the quotes themselves.

The backslash character will escape the native quote, making room for the next reflection point to get full control over the code. See the example below, with 2 variables.

var a = ‘$INPUT’; var b = ‘$INPUT’;

If $INPUT is something like “any\”, value of variable “a” becomes what is highlighted in red.

var a = ‘any\’; var b = ‘any\’;

Because the backslash escapes the native quote of variable “a” and makes the JS parser finding the end of the value in the next quote, the one used to start the value of the next variable “b”. But in the example above it will throw a syntax error: we need to add some code to be executed after the new value of “a” and fix the remaining code.

var a = ‘-alert(1)//\’; var b = ‘-alert(1)//\’;

So a less sign (-) is used to perform an arithmetic operation with our alert function to make it be evaluated/executed and after it a pair of slashes to comment the rest to avoid the syntax error. Any other arithmetic operator or “;” or even a new line character also would make it work as well as the HTML comment (<!–).

By extending the concept to some simple possible scenarios, we have the following XSS cases currently covered by the online XSS PoC tool KNOXSS.

 

Quoteless Inline Double Injection in JS variables
Quoteless Inline Double Injection in JS object
Quoteless Inline Double Injection in JS object with Nested Array
Quoteless Inline Double Injection in JS object with Nested Function

#hack2learn => Take some minutes to figure out how to alert there!

 

All cases deal with the same entry point (same GET or POST variable) reflected twice but it’s also possible to find different entry points and/or more than two reflections in other scenarios. One important thing to remember is those reflections must be in same line.

Another rare but interesting case of quoteless JS injection happens when input lands in backticks delimited variable value:

var a = `$INPUT`;

Which gives room for execution by having ${alert(1)} as $INPUT.

var a = `$alert(1)`;

If the dollar sign ($) is being correctly sanitized we can still use the previous trick with backticks also, this time even in multiple lines:

var a = `-alert(1)//\`;
var b =
`-alert(1)//\`;

#hack2learn