Javascript getters hacking
Thursday, 8 May 2008
I’m a big fan of strange looking Javascript and using the syntax in ways it wasn’t intended, so I can understand the internals of what’s going on. Tonight I was having trouble sleeping and I decided to try and bypass the PHPIDS, I found that Firefox lets you use getters with unassigned variables and returns the results.
the=javascript getter=eval
s = me getter=the('alert(1)')
No. 1 — May 8th, 2008 at 1:56 am
Firefox doesn’t check the syntax before the function is executed, here’s another example:-
Works getter = alert(1)
No. 2 — May 8th, 2008 at 1:57 am
LOL:-
getter getter=alert(1)
One more and I’ll stop…
getter setter=getter setter=eval(‘alert(1)’)
No. 3 — May 8th, 2008 at 7:41 pm
very nice. i think i like that last one the best. it continues to amaze me how many different ways you can write Javascript and still get it to work.