Apr 30, 2020

XSS overide functions

One of my friend gave me a JavaScript code and asked to trigger an alert() by changing one variable. So following is simplified code. I removed unwanted parts of the whole code.I posted it on our facebook community too.

So take a look at this code.

var alfa = {
	beta: function(a) {
		var str = 'HacksLand.net';
		var b = str.length;
		var c = a + 5;
		console.log(a);
	},

	gamma : 'JustForFun :-)'  
}

var x =  /* find the value of x to get alert(1)*/ ;

alfa.beta(x);

Hear we have to change variable x. But alert should be generated after the function call. If there is no condition like that we can simply change the code as following.

var x = 5; alert(1);

But if we do as this the alert comes before function call. Also there is no challenge this way.

 

For this challenge we can use a concept in JavaScript JS always try to represent an object in primitive. Let's think there is a n JavaScript object as obj. What happen if we try to add it to a number. JavaScript tries to get the value of the object. Every object have two default methods as valueOf() and toString(). We can try to overide one of these these function to exploit above code. Let's see following example.

var o = {
	valueOf : function() {
		console.log('valueOf() function called');
	}
};

var a = 1 + o;

valueOf function replaced by  our ow function. When we add object to one JavaScript calls o.valueOf() method. So our function get executed.

Now let's focus on our actual challenge. We can use following payload to exploit it.

 

var x = {
toString: function () {
      alert('1');
   }
}

So whenever beta() function called it try to run a.toString() Because it want to convert s to a string So at that point our exploit will run and make an alert(1).

var alfa = {
	beta: function(a) {
		var str = 'HacksLand.net';
		var b = str.length;
		var c = a + 5;
		console.log(a);
	},

	gamma : 'JustForFun :-)'  
}

var x = {
 toString: function () {
   alert('1');
 }
}

alfa.beta(x);

Hear we go.

Hope you learned something new Thank you for reading.

Aug 12
Little endian notation

This is a concept that used for data storing in computer memory. Actually there are two types of....

Oct 17
Command line arguments in C

Hi guys, In this document we are going to see how we can use command line argumentsin C programs .....

Sep 05
PHP MySQL tutorial | create delete and modify tables

This is the second tutorial of our PHP+MySQL tutorial serious.In last tutorial we saw that how we....

Replying to 's comment Cancel reply