Archives for the ‘javascript’ Category

DOM Clobbering

The DOM is a mess. In an effort to support legacy quick short cuts such as “form.name” etc the browsers have created a Frankenstein monster. This is well known of course but I just wonder how far the rabbit hole goes. I’m gonna share what I discovered over the years. HTML Collections First up is […]

MentalJS for PHP

I decided to convert MentalJS to PHP so that the parsing can happen server side and maybe even later on allow JavaScript execution inside PHP. I found PHP really slow and has poor support for creating parsers. As an example I found that parsing jQuery in php was around 3.6-4 seconds whereas JavaScript was 100ms, […]

Opera x-domain with video tutorial

This is a pretty awesome x-domain I found and reported to Opera. It should be fixed in the latest version. Opera was leaking more properties than it should on a x-domain location but the flaw was interesting because Opera prevented access to functions like alert etc so it wasn’t directly exploitable however by using literal […]

Sandboxing and parsing jQuery in 100ms

I’ve been on a mission to create a reliable JavaScript sandbox. I started off writing one with regular expressions which was flawed because of the inability to match whole expressions and matching characters. That sandbox was called JSReg, it was broken by the very best js hackers (Alexey Silin, Jonas Magazinius, Mario Heiderich, Eduardo Vela, […]

MentalJS Sandbox/Parser

I was driving in the car on my own in a lot of traffic lights and I suddenly had an idea. To take the work I did in JSReg and make a real parser by matching starting and ending characters. I began to code it in my head as I was sitting in the lights. […]

Firefox knows what your friends did last summer

Update… Mozilla have now fixed the problem on Thursday. Not only did they take down the original release but fixed it very quickly within two days which is very impressive. Good work! I was writing some JavaScript and found that the following happens: /undefined/.test(undefined)//true The undefined value is converted to a string and then the […]

Hacking caja part 2

I was asked for a “real” exploit on Caja by one of the devs after my previous post. I opened up my custom caja hacker inspector and inspected the window or fake window. I began looking through each object/function and noticed the setTimeout code. I wondered if they made the same mistake as me and […]

Caja hacking

As you probably know I love JavaScript sandboxes and I spend a lot of spare time playing around with them on the net. One of them is Google Caja, if you don’t know what it is here is the description from the project “The Caja Compiler is a tool for making third party HTML, CSS […]

Multi-context XSS injection contest

I started to wonder a while ago how you could produce a vector that executed in many contexts. It’s cool because you can limit the number of requests an automated scanner uses without a high failure rate, you can even reduce the failure rate by making it as small as possible because some filters have […]

Code mutation experiments

As a little hobby I’ve been really into code mutation and getting computers to write their own code, well at least that’s the goal anyway. What really interests me is if you can give a computer a really small amount of code but yet get it to construct something itself. I think this is pretty […]