Written in 2016.09.21
When it comes to hijacking, the first reaction might be something bad. Function hijacking is not evil, it depends on the person using it. Although this concept is rarely used in the front-end domain, it can be useful in security, custom business, and other scenarios. So, this article will be with you to understand what function hijacking in JS is, what is used.
The basic concept
Function hijacking, as the name suggests, is to hijack a function before it runs, adding the desired functionality. When the function is actually executed, it is no longer the original function, but with the functionality we added. This is one of the principles behind our common hook functions.
At first glance, this looks a lot like rewriting a function. Rewriting a function can also be interpreted as function hijacking, but it’s disgusting. As a hijacker, we should also abide by professional ethics and return the person intact after the kidnapper gains benefits, so we have to call the function back to the original function in the appropriate place.
By extension, in fact, the concept of “hijacking” we often encounter, for example, a website hijacked by the operator, when browsing the website will pop up the operator’s advertising.
Example analysis
Now let’s take a simple example and hijack the alert() function to add a little functionality:
let warn = alert
window.alert = (t) => {
if (confirm('How are you? ')) warn(t)
}
alert('Help me... !!!!!!!!! ')
Copy the codeIf you open the developer tools and try this example, you’ll notice that Help Me will only pop up if you click OK in Confirm… !!!!!!!!! .
Let’s wrap this up into a generic function:
const hijack = (obj, method, fun) => {
let orig = obj[method]
obj[method] = fun(orig)
}
Copy the codeFirst, we define a hijack function, which saves the original function and then executes the custom function, which will be called inside the custom function.
Then we hijack the confirm() function:
hijack(window, 'confirm', (orig) => {
return (text) => {
alert('HELP ME PLZ!!! ')
if (orig.call(this, text)) {
alert('YOU SEEMS FINE AND I AM LEAVING, GOOD BYE! ')}else {
alert('HOLD ON! I AM COMING!! ')}}})Copy the codeThe codepen example is a simple call to confirm()
anti-kidnapping
Create a new page, open your developer tools console, type Alert, and you’ll see something like this:
function alert() { [native code] }
Copy the codeThen, using the code at the beginning of this article, hijack alert() and type alert again on the console. You should see something like this:
function (t) => {
if (confirm('How are you? ')) warn(t)
}
Copy the codeAs you can see from the above example, to see if a function has been hijacked, simply print it out. For a function that is native to the system, [native code] means it is clean and pollution-free.
Function hijacking
In addition to adding functionality to functions, function hijacking can be used to track information about malicious users. A typical XSS attack would first test with an output method such as alert(). In this case, we could hijack the native alert() and feed it the tracking code before releasing the original function. When a malicious user tests alert(), he or she is immediately tracked without being aware of it.
Afterword.
JS function hijacking, also is not what new thing, just in the recent work encountered this knowledge point feeling is relatively strange, so spent some time to carry on the research, and record the results. If you find any mistakes, welcome to correct!
Thank you for reading, welcome to pay attention to my column, I will not regularly share their learning experience, development experience, carrying dry goods outside the wall. See you next time!
References:
- Javascript function to hijack | magical glow
- JavaScript function hijacking – Xie Canyong
- Need to hook into a javascript function call, any way to do this?