Published 16 years 7 months ago • Last updated June 28, 2025 • ⏱️ 2 min read
I discovered a long time ago that the Javascript specification actually encourages the global RegExp object to retain the properties from the last execution of the regular expression parser. This is quite funny and stupid because as we move forward and sites start to share the same Javascript space we will leak information that we don't want to leak.
Don't get me wrong this isn't a huge issue, it's just one of those little spec holes which we can exploit for Obfuscation or information leakage. Noscript or Firefox I'm not sure which seems to leak the last RegExp execution when called from a event. An example of this can be viewed here:-
So when you click the link, the URL is actually built from Noscripts scan of the URL using the following code:-
alert(RegExp['$`']+RegExp['$&']+RegExp['$\''])
This could be used for hiding a XSS payload or something, like I said not really that serious...okay onto obfuscation. We can use leftContext etc as a variable to eval and execute code based on the RegExp matches like so:-
/\\u0024/.test('\x61\x6c\x65\x72\x74\x28\x31\x29\x24'); eval(RegExp['$`'])
So the pattern finds $ within the text alert(1)$ and returns the leftContext (RegExp['$`']) which is alert(1) and executes the code.
And finally I'll leave you with some bonus obfuscation:-
eval('a'.replace(/(.+)/,'$1l').replace(/(.+)/,'$1e').replace(/(.+)/,'$1r').replace(/(.+)/,'$1t').replace(/(.+)/,'$1(').replace(/(.+)/,'$11').replace(/(.+)/,'$1)'))
eval('342342ale'.replace(/\d+/,'$`')+'rt23879'.replace(/\d+/,'$\'')+'abcdefggi(1)'.replace(/.+(\([1]\))/,'$+'))