I lost inspiration for coding a while ago and had this idea I was sitting on for a while, I’m often stuck at the design stage before I write a line of code and I will refuse to continue without a clear picture in my head on how an app is going to work. After [...]

HTML5 decided to introduce a load of new entities, I dunno why maybe they thought it wasn’t hard enough to protect against the original ones we had already. Anyway Firefox has a bug or “feature” that allows NULLS inside the entities. I tweeted it but if I don’t post it here it will probably be [...]

The static HTML property allows you to get/set filtered HTML directly on the DOM object you’re using. The browser vendors don’t support this property yet, IE has a toStaticHTML function and Firefox via the Noscript plugin emulates toStaticHTML but doesn’t allow you to set/get directly, so I decided to create a JavaScript version that can [...]

I had fun at OWASP Manchester, my talk went really well. Getting more confidence with talks now I think. I have a tendency to rush through and get ahead slightly sometimes but overall I did much better and had some great feedback along with some very interesting questions. Enjoy the slides! Here are my non-alphanumeric [...]

Just a quick post to mention the excellent work by Norman Hippert aka @thewildcat, he successfully converted my Javascript based CSSReg into PHP. I was meaning to do this but never found the time so it’s pretty awesome that not only did thewildcat convert the code but found some nice bugs in my code and [...]

It appears this unicode monster keeps chomping away at JavaScript parsers, this time it’s chrome. There was an excellent post from jack masa about JavaScript comments. In it he describes how chrome allows any character which ends in 2a or 2f \uxx2a+\u002f to be used as a “*” or “/”. Pretty crazy I’m sure you’ll [...]

I saw this post from Thomas Stig Jacobsen. He uses eval to decompile the code, I thought there has to be a better way so in literally about 30 minutes I managed to do it after a few tweaks to the JSReg code base. What does non-alphanumeric JavaScript look like? $=~[];$={___:++$,$$$$:(![]+”")[$],__$:++$,$_$_:(![]+”")[$],_$_:++$,$_$$:({}+”")[$],$$_$:($[$]+”")[$],_$$:++$,$$$_:(!”"+”")[$],$__:++$,$_$:++$,$$__:({}+”")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+”")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+”")[$.__$])+((!$)+”")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!”"+”")[$.__$])+($._=(!”"+”")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!”"+”")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+”\”"+$.$_$_+(![]+”")[$._$_]+$.$$$_+”\\”+$.__$+$.$$_+$._$_+$.__+”(\\\”\\”+$.__$+$.__$+$.___+$.$$$_+(![]+”")[$._$_]+(![]+”")[$._$_]+$._$+”,\\”+$.$__+$.___+”\\”+$.__$+$.__$+$._$_+$.$_$_+”\\”+$.__$+$.$$_+$.$$_+$.$_$_+”\\”+$.__$+$._$_+$._$$+$.$$__+”\\”+$.__$+$.$$_+$._$_+”\\”+$.__$+$.$_$+$.__$+”\\”+$.__$+$.$$_+$.___+$.__+”\\\”\\”+$.$__+$.___+”)”+”\”")())(); Produced by my friend [...]

ES5 has decided for whatever reason to treat \u2028 and \u2029 (line/paragraph separators) as a new line in JavaScript this makes it in-line with regex “\s” character class. The JSON specification (to my knowledge) wasn’t changed. So although it mentions escaping characters within strings it isn’t a requirement. This means we’re left with \u2028 and [...]

A few months ago some very talented people called Jonas Magazinius aka @internot_ and Alexey Silin aka @lever_one broke JSReg. Maybe broke is the wrong word obliterated is more accurate. This was very humbling for me, I knew it wasn’t perfect this is why I tried to tempt them to break it by stating it [...]

There isn’t a lot of information about JSON hijacking out there at the minute, I will aim to provide a “news update” on the state of publicly known techniques. First off I will give a quick overview of how JSON data can be stolen and explain how JavaScript reads JSON. JavaScript’s quirky nature There is [...]