Hidden javascript properties

Thursday, 6 March 2008

Javascript contains hidden properties in many objects, I first discovered this when DoctorDan from the slackers forum demonstrated a technique to get the text from a regular expression object without specifying the source property. Later I found a post by John Resig about weird IE behavior again with -1 properties.

So I decided to experiment and write a little script to investigate further. I discovered that it’s possible to access strings of global object names. For example:-

alert(Boolean[-6]);
alert(typeof Boolean[-6]);

It seems that Firefox at least stores names of objects in “-6”, the example above returns the value “Boolean” as a string. Here’s a few examples I posted slackers which use Objects to create strings.

This is the simple script I wrote to find the properties, feel free to experiment and find any other “hidden” gems.

function inspectObject(obj) {
 var prop;
 var props = [];
 for(var i=-1000;i<1000;i++) {
  if(i > 0) {
     prop = obj[String.fromCharCode(i)];
     if(prop != null) {
      props.push(String.fromCharCode(i) + '=' + prop);
     }  
  } else {
     prop = obj[i];
     if(prop != null) {
      props.push(i + '=' + prop);
    }
  }
 }
 return props;
}

x=function x(){};
inspectObject(x)

The entry 'Hidden javascript properties' was posted on March 6th, 2008 at 9:29 pm and is filed under javascript, Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

6 Responses to “Hidden javascript properties”

  1. .mario writes:
    No. 1 — March 6th, 2008 at 10:24 pm

    This is one impressive piece of finding. And – I mean… what is wrong with this language? πŸ™‚

    alert[-3].eval(‘alert(1)’)

  2. Gareth Heyes writes:
    No. 2 — March 6th, 2008 at 10:25 pm

    Yeah it’s the language of hackers πŸ˜€

  3. Ronald writes:
    No. 3 — March 7th, 2008 at 12:44 am

    hehe cool stuff. πŸ™‚

    I was busy myself with investigating js parsing time of objects in Opera, found out that a location.assign takes 320 millisec to load, in that time it’s possible to access the DOM of another page. Sadly, after it, it loads the new assigned url πŸ™ pity, i thought I found a gem in Opera to read cross-domain.

  4. Gareth Heyes writes:
    No. 4 — March 7th, 2008 at 12:30 pm

    Cheers Ronald πŸ™‚

    Sounds interesting I’ll stay tuned to your blog πŸ™‚

  5. thornmaker writes:
    No. 5 — March 7th, 2008 at 8:40 pm

    I remember playing with some of the negative references when I first saw the /foo/[-1] trick, but I never noticed this! very cool find!

  6. Gareth Heyes writes:
    No. 6 — March 8th, 2008 at 9:14 am

    @thornmaker

    Thanks πŸ™‚

    It appears that FF beta uses -5 instead of -6 which I found interesting.

«
»