Code Injection
Overview
Instead of random injection attempts, build payload gradually based on knowledge to track how it looks when reaching the target function.
The onError String
`throw({message: 'The input "${text}" contains the following invalid characters: [${text.match(
/['"`;]/g
)}]', statusCode: 403})`With text = ";"
text = ";"throw {
message: 'The input ";" contains the following invalid characters: [;]',
statusCode: 403,
};Injection Points
1
"${text}"
β Entire input placed
2
[${text.match(...)}]
β Only match output
Best target: First injection point "${text}"
Building the Payload
Step 1: Escape the String
String starts with 'The..., so use single quote to escape:
β Broken syntax - will crash
Step 2: Comment Out Rest
Add // to comment out remaining code:
β Still broken - uneven parentheses
Step 3: Close Parentheses/Braces
Close the opening ({:
β Valid JavaScript!
Payload so far: '})//'
Three Rules for Injection
1. Comment out
Use // to ignore rest of code
2. Even quotes/parens
Close all opened {, (, ', "
3. No syntax errors
Ensure code runs without crashing
Handling Syntax Errors
If function expects variables:
If multi-line string:
JSON Escaping
Remember to escape double quotes in JSON body:
Code Injection Attempt
Payload
Expected Result
Send Request
Response:
Check Console
Debug Console (CMD/CTRL+SHIFT+Y)... Nothing logged! β
Debugging the Failure
Set Breakpoint
Line 9 on eval(onError) β Inspect onError value
Copy Value
As Executed Code
Code looks correct... so why didn't it work?
The Problem: throw Statement
In VSCode, the injected code appears transparent = code never reached!
Reason: throw statement stops execution immediately!
The Fix: Same Line Execution
Problem
; creates new line β code after throw never runs
Solution
Use + instead of ; to chain expressions on same line
New Payload
Result
Working Payload Analysis
Payload
'
Close the string
}
Close the object
)
Close throw()
+
Chain expression (same line)
console.log('pwned')
Injected code
//
Comment out rest
As Executed
Updated Checklist
1
Hit the validateString function
β
2
Trace how input looks within function
β
3
Obtain an admin role
β
4
Confirm we reach the eval function
β
5
Prepare the payload
β
6
Confirm payload reaches target as intended
β
7
Inject code and confirm injection
β
8
Reach command execution or file writing
β³
9
Blindly verify command execution/file writing
β³
10
Automate exploitation (write exploit)
β³
Key Lessons Learned
1. Build Payload Gradually
Don't guess - construct based on knowledge of the code.
2. Understand JavaScript Execution
throwstops execution;creates new line+chains on same line
3. Debug When Stuck
Set breakpoints
Inspect variable values
Check if code is reachable
4. VSCode Hints
Transparent/dimmed code = unreachable code
5. JSON Escaping
Always escape " in JSON payloads: \"
Summary
Breaking syntax
Close all quotes/parens
Dangling code
Comment with //
Code after throw
Use + instead of ;
JSON breaking
Escape double quotes
Next: Turn code injection β command execution (RCE)
Last updated