This is not a new topic, but incase people didn't know, it is possible to craft javascript using only symbols such as : "![]{}+" and etc.
The idea is to take the returned value from an expression and collect the alphabet and/or numerical values from it.
So for starter, lets create some numerical value using symbols.
+[] -> 0 (it seems the plus sign forces the expression into integer)
So you can do something like
$ = +[] // $ == 0
++$ //$ == 1
--$ //$ == 0
So you can generate all the numerical values you want using the above method. There are other ways to generate numerical value, such as ~[] -> -1.
Great, now to generate strings, we will leverage the returned value of an expression.
![] -> Boolean False
!![] -> Boolean True.
![] + "" -> false ( + "" forces the return expression into a String)
!![] + "" -> true
So now to collect specific alphabet, (this works in FF but not IE =( ), is access the string as an array.
(![] + "")[0] == f, (![] + "")[1] == a, and etc. So you can take advantage using symbols to generate numerical value and using it as index to access a character in the string.
Other ways to access other alphabets can be ({} + "") == [Object object]. So you can extract the text within it using indexing as well. So again, the main idea is to extract the return value from an expression. As there are many different return values, it is possible to build functional javascript using pure symbols.
Check the following link for more information on non alpha numerical Javascript:
http://sla.ckers.org/forum/read.php?24,33349
http://extraexploit.blogspot.com/2010/10/dollars-javascript-code-yet-another.html
Wednesday, December 1, 2010
Sunday, November 21, 2010
Something I learn from audit
When auditing a subject, the first thing I want to know is who have ownership of it. I have done a hardware and software inventory audit for my institution and while I identified many exceptions, there were no departments that claim ownership and management of inventory. I ended up chasing tail over and over and wasted precious time reviewing many systems that had inventory information but does not serve as the official collection of inventory maintained for the institution. Therefore, identifying the ownership of a subject should be one of the first thing to seek for.
Saturday, November 20, 2010
Javascript alert can execute code?
I don't know if this has been talked about, but it looks like the alert statement does more than display the content within the (). It is possible to execute code within the alert statement.
normal use of alert would be:
window.alert('hello world');
alert(1);
executing code:
alert(function() { for(var i = 0; i < 3; i++) alert (i); } ())
The behavior seems to be it executes the code within the outter alert, display 0, 1, 2 in msgbox, and then follow by undefined, which is the alert statement displaying undefined.
I always thought alert will only display "text", or a variable's content.
I would have expected a javascript error from the above statement, but it did not. Can anyone share why this behavior exists?
the above statement works in both IE and FireFox.
normal use of alert would be:
window.alert('hello world');
alert(1);
executing code:
alert(function() { for(var i = 0; i < 3; i++) alert (i); } ())
The behavior seems to be it executes the code within the outter alert, display 0, 1, 2 in msgbox, and then follow by undefined, which is the alert statement displaying undefined.
I always thought alert will only display "text", or a variable's content.
I would have expected a javascript error from the above statement, but it did not. Can anyone share why this behavior exists?
the above statement works in both IE and FireFox.
Subscribe to:
Posts (Atom)