Merge pull request #1825 from HackTricks-wiki/research_update_src_pentesting-web_xss-cross-site-scripting_js-hoisting_20260129_155244

carlospolop · web-flow · commit 879ef274a2d0 · 2026-01-29T17:18:57.000+01:00
Research Update Enhanced src/pentesting-web/xss-cross-site-s...
diff --git a/src/pentesting-web/xss-cross-site-scripting/js-hoisting.md b/src/pentesting-web/xss-cross-site-scripting/js-hoisting.md
@@ -133,6 +133,20 @@ let config;` -
 trigger()
 ```
 
+### Hoisting to bypass exception handling
+
+When the sink is wrapped in a `try { x.y(...) } catch { ... }`, **ReferenceError** will stop execution before your payload runs. You can pre-declare the missing identifier so the call survives and your injected expression executes first:
+
+```javascript
+// Original sink (x and y are undefined, but you control INJECT)
+x.y(1,INJECT)
+
+// Payload (ch4n3 2023) – hoist x so the call is parsed; use the first argument position for code exec
+prompt()) ; function x(){} //
+```
+
+`function x(){}` is hoisted before evaluation, so the parser no longer throws on `x.y(...)`; `prompt()` executes before `y` is resolved, then a `TypeError` is thrown after your code has run.
+
 ### Preempt later declarations by locking a name with const
 
 If you can execute before a top-level `function foo(){...}` is parsed, declaring a lexical binding with the same name (e.g., `const foo = ...`) will prevent the later function declaration from rebinding that identifier. This can be abused in RXSS to hijack critical handlers defined later in the page:
@@ -153,11 +167,21 @@ Notes
 - This relies on execution order and global (top-level) scope.
 - If your payload is executed inside `eval()`, remember that `const/let` inside `eval` are block-scoped and won’t create global bindings. Inject a new `<script>` element with the code to establish a true global `const`.
 
+### Dynamic import() with user-controlled specifiers
+
+Server-side rendered apps sometimes forward user input into `import()` to lazy-load components. If a loader such as `import-in-the-middle` is present, wrapper modules are generated from the specifier. Hoisted import evaluation fetches and executes the attacker-controlled module before subsequent lines run, enabling RCE in SSR contexts (see CVE-2023-38704).
+
+### Tooling
+
+Modern scanners started to add explicit hoisting payloads. **KNOXSS v3.6.5** lists "JS Injection with Single Quotes Fixing ReferenceError - Object Hoisting" and "Hoisting Override" test cases; running it against RXSS contexts that throw `ReferenceError`/`TypeError` quickly surfaces hoist-based gadget candidates.
+
 ## References
 
 - [https://jlajara.gitlab.io/Javascript_Hoisting_in_XSS_Scenarios](https://jlajara.gitlab.io/Javascript_Hoisting_in_XSS_Scenarios)
 - [https://developer.mozilla.org/en-US/docs/Glossary/Hoisting](https://developer.mozilla.org/en-US/docs/Glossary/Hoisting)
 - [https://joaxcar.com/blog/2023/12/13/having-some-fun-with-javascript-hoisting/](https://joaxcar.com/blog/2023/12/13/having-some-fun-with-javascript-hoisting/)
 - [From "Low-Impact" RXSS to Credential Stealer: A JS-in-JS Walkthrough](https://r3verii.github.io/bugbounty/2025/08/25/rxss-credential-stealer.html)
+- [XSS Exception Bypass using Hoisting (ch4n3, 2023)](https://new-blog.ch4n3.kr/xss-exception-bypass-using-hoisting/)
+- [KNOXSS coverage – hoisting override cases](https://knoxss.pro/?page_id=766)
 
 {{#include ../../banners/hacktricks-training.md}}
