From "Low-Impact" RXSS to Credential Stealer A JS-in-JS Walk...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://r3verii.github.io/bugbounty/2025/08/25/rxss-credential-stealer.html
• Blog Title: From "Low-Impact" RXSS to Credential Stealer: A JS-in-JS Walkthrough
• Suggested Section: Generic Hacking > XSS - JS-in-JS string injection, Unicode WAF bypass, and handler hijack

🎯 Content Summary

Reflected XSS on Login Page via JS-in-JS Sink

Context and Root Cause

A reflected XSS (RXSS) exists on a login page due to a JS-in-JS sink: a server-side echo of query parameter l is inserted inside a quoted JavaScript string in an inline script.

<script>
  /* ... */
  var AspInterfaceLanguage = "test"; // ← user-controlled via ?l=
  /* ... */
</script>

Because attacker input lands in a JS string, closing the string, in...

🔧 Technical Details

JS-in-JS string injection pattern: When user input is echoed inside a quoted JS string, close the string with ", terminate with ;, run payload, then repair with ; a = ". Generic skeleton: ?param=test";<INJECTION>;a=". This executes attacker JS without needing an HTML context.

Unicode-based WAF/backend bypass: Replace flagged identifiers with Unicode escapes to evade naive filters while producing identical runtime co...

🤖 Agent Actions

I explored the repository and found the most relevant section to update is pentesting-web/xss-cross-site-scripting. I reviewed multiple related files to ensure the content wasn’t already present and to match HackTricks style:

• src/pentesting-web/xss-cross-site-scripting/README.md
• src/pentesting-web/xss-cross-site-scripting/js-hoisting.md
• src/pentesting-web/xss-cross-site-scripting/other-js-tricks.md
• src/pentesting-web/xss-cross-site-scripting/steal-info-js.md
• src/pentesting-web/xss-cross-site-scripting/dom-xss.md

What I added/updated:

1. XSS README (JS-in-JS string injection, Unicode WAF bypass, eval(atob) scope nuance, and handler hijack)

• Added a concise “JS-in-JS string break → inject → repair” pattern under “Inside JS code” with a generic URL skeleton like ?param=test";<INJE...

✅ Review Checklist

• Content is technically accurate
• Formatting follows HackTricks style guidelines
• Links and references are working
• Content adds educational value
• No sensitive information is exposed

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://r3verii.github.io/bugbounty/2025/08/25/rxss-credential-stealer.html

Content Categories: Based on the analysis, this content was categorized under "Generic Hacking > XSS - JS-in-JS string injection, Unicode WAF bypass, and handler hijack".

Repository Maintenance:

• MD Files Formatting: 873 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge