Javascript for hackers part 2

By Gareth Heyes (@hackvertor)

Published 18 years 5 months ago • Last updated March 22, 2025 • ⏱️ 4 min read

In my second part of Javascript for hackers I shall be showing how pointless it is to ban the use of document, location etc within form variables.

You can create some truly amazing strings which are unreadable to the human eye, many more vectors are available on the sla.ckers thread I created but I'll show the juicy ones here.

First off what has it to do with XSS you may ask? With these character combinations you can allow access to javascript objects that was previously filtered out. If you're developing any sort of serious blacklist filter then you need to consider as much as possible. In future sites may be communicating with each other via Javascript and to do this you must know what is harmful and what is not.

Ok boring bit over with now onto the good stuff :) The following vectors were only tested on Firefox but the same sort of encoding may also work on other browsers with a bit of hacking.

The basic vector

<pre lang="javascript">0['eval']('alert(1)')</pre>

In case you didn't know, in Firefox it's possible to call the eval function from pretty much anywhere. So in the example above zero could be 1 + 1 or new Date() or any expression at all. The first part therefore holds the reference to the eval function and the second part calls the function you want, in this case alert.

Backslash escapes

To take our vector a stage further we can also add backslash escapes, in javascript when a character is escaped that doesn't have special meaning it is returned as normal.

Encoding strings

Octal encoding, notice how the 'e' is created:-

<pre lang="javascript">0['\145val']('alert(1)')</pre>

Hex encoding:-

<pre lang="javascript">0['\x65val']('alert(1)')</pre>

Unicode:-

<pre lang="javascript">0['\u0065val']('alert(1)')</pre>

Javascript allows many different types of encoding within strings and it's quite easy to obscure the code. The above examples shows how each different encoding replaces the letter "e" in the vector. This could be applied to the entire string but I only replaced one letter to make it easy to see what is going on.

Encoding nearly everything

Unicode vector:-

The above vector in plain text:-

<pre lang="javascript">alert(1)</pre>

You can also encode javascript objects, functions or operators using unicode. The example above calls a simple "alert(1)" function. Why did I say nearly everything? It seems Javascript only allows you to encode the first quoting character of a string, the second must be in plain text in order for the vector to work. Look at the example below to understand this:-

Encoded vector, notice the last single quote cannot be encoded:-

In plain text:-

<pre lang="javascript">alert('Hello')</pre>

The final vectors

Vector 1:-

Vector 2:-

Both vectors are based on the original one in the article with slight variations in quoting characters:-

<pre lang="javascript">0['eval']('alert(1)')</pre>

So as you can see from the above filtering out "document" won't get you anywhere, you need to consider all possible variations. Both vectors use a combination of unicode, hex and octal encoding to produce the required code.

I'm not just gonna leave it there either :) there is one final vector which you have to consider, say for instance you filter out the "" character to prevent these sort of attacks, the url also allows entities so it's possible to encode the attacks mentioned again with html entities. For example:-

Becomes:-

Crazy eh? That actually works heh. You may be wondering how I manage to create all these vectors?...well I can scan javascript code and unicode tables in my head and automatically perform the conversions in nano seconds...joke. I use my Hackvertor tool to do the hard work for me :D

← Back to articles