So I have learn some additional things regarding non-alpha numerical script.
Additional ways to run a script expressed as a string.
eval("expression");
Function("expression")();
setTimeout("expression",x);
setInterval("expression",x);
//0.constructor == Number()
//0.constructor.constructor == Function()
From previous blog,
+[] == 0 // /unary + tries to convert its operand to number
~[] == -1 (bitwise not with any non-numerical value == -1)
((+[])["constructor"]["constructor"])("expression")();
The "constructor" string can be created through the usage of strings from "true", "false", and etc. Such as ![]+"" == false, and etc.
Another thing I learned is that the Array.prototype.sort() returns and window object. So one can form an alert through something similar:
a = [], b = a["sort"], c = b(); // window object
d = c["alert"], d("string");
Other things I didn't know, not related to Alpha-Numerical Javascript, but against filters.
Some XSS filter prevents single and double quotes.
1. Refer to an external script
2. Use String.fromCharCode();
3. alert(this.attribute_in_an_element)
4. forward slash regex syntax: /x/.source
Additional things I didn't know:
["x","y"].sort(alert); ["x","y"].sort(confirm) will display alert and prompt with the value "x".
No comments:
Post a Comment