Hi all
This is old like a few years old but maybe you guys haven't heard of it.
Anyways a Japanese security researcher called Yosuke Hasegawa posted on the
slackers forums a bit of JavaScript that executed without non-alphanumeric
characters then all hell broke loose. We came up with various techniques to
shorten and improve it. The JS wall as it's called is the limit of
characters required to execute JavaScript without using alphanumeric
characters, we found this limit to be 6 which we think is unbreakable,
please be all means try.
The technique abuses the loosely typed nature of JavaScript, for example
true,false can be converted into a string "true" or "false". We can then use
the letters to obtain new objects which eventually lead to the window object
and executing code of your choice. How does this look in code? Well lets say
you want the letter "o", you could use the object literal to obtain "o" as
it returns [object Object] when toString is called. The first step would be
to convert your object literal into a string:-
1. [{}]+[]//[object Object]
Then the next step is to get the index value "1" of the string, here I'm
using a intentional character limit of "{}[]+", so we obtain "1" by using
some tricks to convert a object to "0" then increment it.
2. +[]//0
Now we have "0" we need to increment it to 1.
3. ++[+[]][+[]]//1
Finally we combine all those together to get "o"
4. alert([[{}]+[]][+[]][++[+[]][+[]]])//"o"
So to understand this:
//FF only
ω=[[Ṫ,Ŕ,,É,,Á,Ĺ,Ś,,,Ó,Ḃ]=!''+[!{}]+{}][Ś+Ó+Ŕ+Ṫ],ω()[Á+Ĺ+É+Ŕ+Ṫ](ω()[Ḃ+Ṫ+Ó+Á]('%#'))
You should read these ;) :
YAUC Less chars needed to run arbitrary JS code = 6! (JS GREAT WALL) :-
http://sla.ckers.org/forum/read.php?24,32930
Diminuitive NonAlNum JS - Arbitrary:-
http://sla.ckers.org/forum/read.php?24,35081
Java/script: no alnum cheat sheets:-
http://sla.ckers.org/forum/read.php?24,33349
Diminutive JS Code Challenge, from OWASP :-
http://sla.ckers.org/forum/read.php?24,30015
Cheers
Gareth
--
To view archived discussions from the original JSMentors Mailman list:
http://www.mail-archive.com/[email protected]/
To search via a non-Google archive, visit here:
http://www.mail-archive.com/[email protected]/
To unsubscribe from this group, send email to
[email protected]
