Javascript getters hacking

I’m a big fan of strange looking Javascript and using the syntax in ways it wasn’t intended, so I can understand the internals of what’s going on. Tonight I was having trouble sleeping and I decided to try and bypass the PHPIDS, I found that Firefox lets you use getters with unassigned variables and returns the results.

the=javascript getter=eval
s = me getter=the('alert(1)')

3 Responses to “Javascript getters hacking”

  1. Gareth Heyes writes:

    Firefox doesn’t check the syntax before the function is executed, here’s another example:-
    Works getter = alert(1)

  2. Gareth Heyes writes:


    getter getter=alert(1)

    One more and I’ll stop…
    getter setter=getter setter=eval(‘alert(1)’)

  3. rob writes:

    very nice. i think i like that last one the best. it continues to amaze me how many different ways you can write Javascript and still get it to work.