4

I'm trying to make a PoC of reflected Cross-Site Scripting on a website that I'm testing right now. I've found a place inside of a Javascript code where commands can be injected, however the trouble is that there the previous block of code throws a 'not defined' error and therefore (at least I think so) my injected code is not executed. Is there any chance to execute the code anyway?

Here is the code:

UndefinedObject.Init({
  Var1:"a",
  Var2:"b",
  Var3:"can_be_injected_with_JS_code")}

I can't inject any HTML tags as these are filtered by the application.

Many thanks!

Improve this question
4
  • You can try to use the event 'onerror'. Althought it's main task for image tags, try that to continue to execute the code. Commented Jul 14, 2011 at 12:36
  • Could you please be more specific? I've tried to bound the onerror event to 'window' and 'UndefinedObject', haven't have any luck so far, though. Commented Jul 14, 2011 at 13:23
  • Compare to try and catch you can't bind this event to a specific exception. This has more general effect. For more information see javascriptkit.com/javatutors/error.shtml . Commented Jul 14, 2011 at 13:51
  • Thank you for the link. If I understand the information correctly, the onerror event is not usable for me as well as I would have to define it before the code throwing the error. In my case, I'm able to inject my code only after the erroneous piece of code. Commented Jul 14, 2011 at 14:14

4 Answers 4

Reset to default
1

Wrap them under try catch block.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

In a sequence of execution, if the code fails, the remaining part will not be executed. Javascript errors ("Exceptions") can be caught using try...catch (if you are able to inject this try - catch also).

If there is a different flow (via another event), the code will continue.

Improve this answer

Comments

1

You can either try using a try-catch, or if that won't help, try using window.onerror

Improve this answer

Comments

1

Generally the right way of doing that is using try-catch-finally or try-finally:

If you make something about the error - log or do something else. Catch may be also used to execute your code, but not a good practice. You can do nothing about the error if you want, that`s why finally is used.

Finally is used when it is important to execute a piece of code, no matter if an error is thrown or not. For example in C++ or other language when you work with files inside finally the file is closed ( you can not leave it opened ). Look here for some examples.

Improve this answer

1 Comment

I'm familiar with try/catch/finally, but as far as I know, I'd have to be able to place the try statement BEFORE the UndefinedObject.Init method which is unfortunately not the case here, I'm able to inject the code as late as by the Var3 variable.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.