Skip to content

Releases: djsubstance/Essential-JS-or-PHP-one-liners

Attack Examples and advanced Javascript/Typescript

12 Feb 04:29
@djsubstance djsubstance
JS-PrototypePollution
df8717d
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
Attack Examples and advanced Javascript/Typescript Pre-release
Pre-release

Anonymous Javascript functions in PWA's and Dynamic React / NodeJS based sites and exploitation and mitigation:

Most apps now a days are becoming more dynamic and most definately cloud based which is introducing lots of great features and options but it also was never meant to have certain virtual devices "talk" to eachother. For insance Akamai's "Kona" WAF and your next hop a Load Balancer or reverse proxy.

-> https://cloudbounty.site.com -> [REV PROXY] physcial device -> [KONA] WAF inline between the LB's and Rev Prox. This is a typical setup, however I dont think enough people understand how the various web based protection devices headers can vary so much and act different .. in so many contexts. for instance I will bust out IE 7 to browse and pentest, cause it allows certain features current browsers have disabled.

TBC

[IIFE](https://developer.mozilla.org/en-US/docs/Glossary/Self-Executing_Anonymous_Function)
This attack is gaining popularity in bug bounties and it should be more discussed and explored.
`
An IIFE (Immediately Invoked Function Expression) is a JavaScript Method or Function that runs as soon as it is defined.
This can be thought of similar to jQuerys $ function() - which i would call a constructor (in a way)

If you arent fam. with jQuery, its worth learning - before if you wanted to execute an anonymous function upon DOMReady:

(function( $ ){
   $.fn.myfunction = function() {
      alert('hello world');
      return this;
   }; 
})( jQuery );

```   - Thats too many lines of code now a days we can : 
With jQuery you select (query) HTML elements and perform "actions" on them.

jQuery Syntax
The jQuery syntax is tailor-made for selecting HTML elements and performing some action on the element(s).

Basic syntax is: $(selector).action()

A $ sign to define/access jQuery
A (selector) to "query (
or find)" HTML elements
A jQuery action() to be performed on the element(s)
Examples:

$(this).hide() - hides the current element.

$("p").hide() - hides all <p> elements.

$(".test").hide() - hides all elements with class="test".

$("#test").hide() - hides the element with id="test".






**
(function () {
  // …
})();

(() => {
  // …
})();

(async () => {
  // …
})();

**
Assets 2
Loading