I saw this post from Thomas Stig Jacobsen. He uses eval to decompile the code, I thought there has to be a better way 🙂 so in literally about 30 minutes I managed to do it after a few tweaks to the JSReg code base. What does non-alphanumeric JavaScript look like? $=~[];$={___:++$,$$$$:(![]+””)[$],__$:++$,$_$_:(![]+””)[$],_$_:++$,$_$$:({}+””)[$],$$_$:($[$]+””)[$],_$$:++$,$$$_:(!””+””)[$],$__:++$,$_$:++$,$$__:({}+””)[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+””)[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+””)[$.__$])+((!$)+””)[$._$$]+($.__=$.$_[$.$$_])+($.$=(!””+””)[$.__$])+($._=(!””+””)[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!””+””)[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+”\””+$.$_$_+(![]+””)[$._$_]+$.$$$_+”\\”+$.__$+$.$$_+$._$_+$.__+”(\\\”\\”+$.__$+$.__$+$.___+$.$$$_+(![]+””)[$._$_]+(![]+””)[$._$_]+$._$+”,\\”+$.$__+$.___+”\\”+$.__$+$.__$+$._$_+$.$_$_+”\\”+$.__$+$.$$_+$.$$_+$.$_$_+”\\”+$.__$+$._$_+$._$$+$.$$__+”\\”+$.__$+$.$$_+$._$_+”\\”+$.__$+$.$_$+$.__$+”\\”+$.__$+$.$$_+$.___+$.__+”\\\”\\”+$.$__+$.___+”)”+”\””)())(); Produced by my […]

ES5 has decided for whatever reason to treat \u2028 and \u2029 (line/paragraph separators) as a new line in JavaScript this makes it in-line with regex “\s” character class. The JSON specification (to my knowledge) wasn’t changed. So although it mentions escaping characters within strings it isn’t a requirement. This means we’re left with \u2028 and […]

A few months ago some very talented people called Jonas Magazinius aka @internot_ and Alexey Silin aka @lever_one broke JSReg. Maybe broke is the wrong word obliterated is more accurate. This was very humbling for me, I knew it wasn’t perfect this is why I tried to tempt them to break it by stating it […]

There isn’t a lot of information about JSON hijacking out there at the minute, I will aim to provide a “news update” on the state of publicly known techniques. First off I will give a quick overview of how JSON data can be stolen and explain how JavaScript reads JSON. JavaScript’s quirky nature There is […]

Whilst writing my own parser I found weird things in Opera’s JavaScript parser. I was testing what the various browsers allowed with unicode escapes and it turns out Opera seems more lax than others. My discovery began with the following code: try {eval(“\\u0066\\u0061\\u006c\\u0073\\u0065”);} catch(e) {alert(e);} What do you expect the undefined variable to be? It’s […]

Thanks Pádraic So I hope you’ve enjoyed our blog fight between me and Pádraic Brady. I sense a lack of a sense if humour in his last post 🙁 his blanket claims that regex html validation sucks were obviously unjustified. Anyway I was waiting for a cool XSS hole in HTMLReg from him, it never […]

Dear Pádraic Brady, I have not received any emails with any exploits, I am disappointed I want my HTML regex sanitiser to be broken please. Apparently you can find 2-5 vulnerabilities per solution so please execute XSS in my regex. Thanks! I’ll be very impressed if you do and I will promise to dedicate a […]

So I came across a cool post to hack the new HTML5 parser that Opera is developing, it is awesome that a vendor says hey c’mon look what we’ve done, please try and break our stuff. I couldn’t resist having a go as they asked so nicely and within minutes…. <a href=”jav&#65ascript:alert(1)”>test1</a> <a href=”jav&#97ascript:alert(1)”>test2</a> That’s […]

I’ve had requests to create a Hackvertor API to allow you to embed it on your own sites, so I’ve created one. It uses postMessage to communicate and you can set the width, height, top, left and callback for your output. The code looks like this:- Hackvertor.write({top:’0px’,left:’300px’,width:’700px’,height:’400px’, callback:function(str) { document.getElementById(‘output’).value=str; }}); This will write a […]

You might remember my XSS Rays bookmarklet I developed a while ago, I got nagged by a few of you to fix some things in it. Well it was crappy because it was bookmarklet based so I didn’t bother. Instead I decided to create a Chrome extension and revamp the features. So here it is […]