That leads to some broken script blocks and when the injection context is one of those sections, injection won’t work since the whole executing context is dismissed.
Some pages are not intended to be loaded alone with direct browser access. They are part of some other code in which the missing object is properly declared and defined.
Check the following as an example and exercise.
That’s a modular page where 2 other pages get called: “undefined1.php” and “undefined2.php” (as commented in source code).
XSS is not possible in “defined” page while it’s possible in “undefined” ones.
1st Case – Missing Object With Property
If we try to inject in “undefined1.php” with just a string breakout and “concatenate” with arithmetic operators (or simply separating commands with semicolon), a ReferenceError is thrown:
So here’s the successful payload:
2nd Case – Missing Object With Method
Again, a regular injection with syntax fixing won’t make the popup appear.
(it’s possible to save the second semicolon because alert(1)(”) is a valid construct)
By following the previous case we are tempted to employ the same solution but this time we also need to declare the object’s method which is not possible in the same injection:
The solution lies in hijacking an existing global function: by declaring a called undeclared function (CVE case below) or declaring again an existing function called in a valid code section (window object methods for example) we can override it with our own code.
Since the current script block can’t be fixed, hoisting is just used to create that specific function in the injected script block.
The function “atob” is used in the next script block of the page making it possible to be used in our injection. We declare a function with the same name and then it now carries the code we use in declaration (“alert(1)”). When it gets called in the next script block it calls the popup.
In CVE-2020-13483 regarding a WAF bypass in Bitrix24 CMS, this last hoisting technique is mandatory to achieve XSS. Details are given here including a PoC which can be shortened for better understanding as follows:
— Brute Logic (@brutelogic) January 17, 2022
Those and some more “Hybrid XSS” cases (input reflected in source code and triggered by JS code in DOM) are handled successfully by our online XSS PoC tool KNOXSS (with 2nd case available in v3.2.0 and up). Check it out!