I am looking at XSS Game and this one challenge called Jeff.
The challenge takes a query parameter called jeff as input, and stores it in a variable named jeff. The goal of the challenge is to load an alert box on the page. The solution uses hyphens to run Javascript within an eval() function.
So, we have this eval:
eval(`ma = "Ma name ${jeff}"`)
And the solution input to get an alert box is (Spoiler alert! No pun intended.):
"-alert(1337)-"
Now, I am in desperate need of understanding how Javascript treats those hyphens! Help!?
The code that the site uses is:
let jeff = (new URL(location).searchParams.get('jeff') || "JEFFF")
eval(`ma = "Ma name ${jeff}"`)
Note that searchParams gives you a URLSearchParams object, and its .get method gives you a string corresponding to the parameter. So, the objective is to come up with some characters that, when inserted into
ma = "Ma name <CHARACTERS>"
and run, results in arbitrary code execution.
First step is to surround the characters in "s, so as to end the string literal after the name and resume a string literal after the CHARACTERS:
ma = "Ma name " <SOMETHING ELSE> ""
So now you need to figure out what sort of characters can go into <SOMETHING ELSE> which will result in valid Javascript code.
If you just put in alert(), that won't be valid:
ma = "Ma name " alert() ""
That's a syntax error. You need something to indicate what the alert has to do with the string literal token that comes just before it. A - can do the trick, but so could any other operator, like +, %, and so on. You also need to connect the end of the alert with the resumed string literal, thus the need for another operator at the end:
ma = "Ma name "-alert('foo')-""
// ^^^^^^^^^^^^^^^^
ma = "Ma name "-alert('foo')-""So, the characters that need to be inserted are:
"-alert('foo')-"
Note that because the string is delivered inside of a search parameter, a + won't be interpreted as the literal character + - rather, it'll be interpreted as a space. So jeff="+alert(1337)+" won't work, but jeff="%2balert(1337)%2b" will.
Semicolons work as well, because they result in:
ma = "Ma name " <SOMETHING ELSE> ""
ma = "Ma name "; alert() ;""
which is valid syntax.