Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Escaping input is very important when trying to prevent XSS, code injection and many other classes of vulnerabilities. However, the escaping is context dependent. In some situations, a single quote would break the system while, for other times, it may be another character. Knowing when to escape what really matters.

In this report, a user is providing a URL that will be navigated to. For some reason, there is a multiline comment that is necessary for escape some input. /*{ url: 'https://example.com' }*/ is used within the parameters. In order to prevent code injection, they call quote to escape single and double quotes.

The quote is not the only thing to worry about though. What about the comment? By ending the comment, an attacker can add their own code. For instance, the input https://example.com?q=*/.../* would escape the comment to add arbitrary content to the JavaScript. In particular, this appears to be a NodeJs environment.

The final payload to escape the function call and execute JavaScript is as follows:

Injection point: 
page.waitForNavigation(/*{ url: '
https://example.com'}*/),

Payload: 
https://example.com?q=*/require(child_process)
.exec(touch$IFS/tmp/haxx)/*

Executed code: 
page.waitForNavigation(/*{ url: '
https://example.com?q=*/require(`child_process`)
.exec(`touch$IFS/tmp/dee-see`)/*' }*/),

A pretty interesting case of not escaping inputs properly. True code injection doesn't happen very often but it's sure interesting when it does. Good report!