2

I am looking at XSS Game and this one challenge called Jeff.

The challenge takes a query parameter called jeff as input, and stores it in a variable named jeff. The goal of the challenge is to load an alert box on the page. The solution uses hyphens to run Javascript within an eval() function.

So, we have this eval: 

eval(`ma = "Ma name ${jeff}"`)

And the solution input to get an alert box is (Spoiler alert! No pun intended.): 

"-alert(1337)-"

Now, I am in desperate need of understanding how Javascript treats those hyphens! Help!?

maritio_o
  • 77
  • 9
  • 1
    The result of the eval is `ma = "Ma name "-alert(1337)-""`, so it's the initial quote that's important, not the hyphens (which are just treated as normal subtractions). `";alert(1337);//` would be another valid solution. – cmbuckley Mar 08 '20 at 23:44
  • Yeah, reading the linked post 10 times does not give me any good clues of how Javascript treats the hyphen to make the XSS work.. – maritio_o Mar 08 '20 at 23:45
  • You're right - this doesn't result in a unary operator (e.g. `ma = -x`), it results in 2 standard operators, e.g. `ma = A - B - C`. – cmbuckley Mar 08 '20 at 23:48
  • Thanks, @cmbuckley. The initial quotes makes sense, I solved it with the semicolon myself. I still don't understand the hyphens role for making the alert work. Why would it work to subtract, but not to use plus instead? – maritio_o Mar 08 '20 at 23:54
  • @Quentin I don't think this has anything to do with unary -. The - is needed (on both sides) to make the syntax valid when connect the end of the first string literal with an expression that follows it. – CertainPerformance Mar 08 '20 at 23:57
  • It doesn't really matter *which* operator you use. It's an operator and you can separate expressions with operators. – Quentin Mar 08 '20 at 23:58

1 Answers1

3

The code that the site uses is:

let jeff = (new URL(location).searchParams.get('jeff') || "JEFFF")
eval(`ma = "Ma name ${jeff}"`)

Note that searchParams gives you a URLSearchParams object, and its .get method gives you a string corresponding to the parameter. So, the objective is to come up with some characters that, when inserted into

ma = "Ma name <CHARACTERS>"

and run, results in arbitrary code execution.

First step is to surround the characters in "s, so as to end the string literal after the name and resume a string literal after the CHARACTERS:

ma = "Ma name " <SOMETHING ELSE> ""

So now you need to figure out what sort of characters can go into <SOMETHING ELSE> which will result in valid Javascript code.

If you just put in alert(), that won't be valid:

ma = "Ma name " alert() ""

That's a syntax error. You need something to indicate what the alert has to do with the string literal token that comes just before it. A - can do the trick, but so could any other operator, like +, %, and so on. You also need to connect the end of the alert with the resumed string literal, thus the need for another operator at the end:

ma = "Ma name "-alert('foo')-""
//            ^^^^^^^^^^^^^^^^


ma = "Ma name "-alert('foo')-""

So, the characters that need to be inserted are:

"-alert('foo')-"

Note that because the string is delivered inside of a search parameter, a + won't be interpreted as the literal character + - rather, it'll be interpreted as a space. So jeff="+alert(1337)+" won't work, but jeff="%2balert(1337)%2b" will.

Semicolons work as well, because they result in:

ma = "Ma name " <SOMETHING ELSE> ""
ma = "Ma name "; alert()        ;""

which is valid syntax.

CertainPerformance
  • 260,466
  • 31
  • 181
  • 209