Archives for the ‘javascript’ Category

Breaking HTML parsers for fun

I was experimenting with some HTML vectors to break the various HTML parsers in the browsers, I wanted to continue till I found a cool one for Firefox because I like to bully the memory hogging browser as I use it a lot. I found some weird rendering in Firefox, Chrome and Opera. It started […]

JSReg bypasses

I set a cool Hackvertor challenge on slackers. The idea was to call the function defined in window. There is a perfectly legitimate way of doing this as I discovered the method when I was testing it, instead of fixing it I created the challenge. Stefano Di Paola of course figured it out, nice work […]

New Hackvertor upgrade

It’s been a while for a Hackvertor update, you might have noticed that the old one hasn’t changed in a while. This is because I’ve finally moved it over to the new one with a bunch of new features. I’ll give you a run down of the new tags and features I’ve added. I still […]

String replace JavaScript bad design

After using JavaScript for a while one of the worst parts I found was the String.replace function. When I realized it’s behaviour I thought to myself someone is going to use this wrong. The function itself is excellent, I use it all the time as you could probably tell with my code. It is far […]

XSS Zones

One of the impossible problems of the web is how do you protect against site that has a persistent XSS hole yet requires JavaScript to function. I thought about this for a while and worked out you could create a XSS zone where you expect user input. Declaring a zone is tricky because if you […]

One vector to rule them all

I set myself a fun challenge to create a vector that would execute in many contexts. The idea being that it should work regardless where it’s placed. For example:- “xss” ‘xss’ <tag alt=”xss”> As an added challenge I tried to execute only the one payload and where possible to use a single eval. I had […]

Function is the new window

I discovered while reading some Firefox code that E4X allows you to call standard functions by using the special namespace. This is cool! We can now define setters etc on the XML prototype and call functions on E4X objects. It looks like this:- <></>.function::toString(); Would Firefox be crazy enough to include this special namespace on […]

setTimeout and setInterval

Not posted for a while and you may have missed this on twitter. setTimeout(“MsgBox 1”,0,’VBS’); Cool so setTimeout supports vbscript as an argument. Yeah I can read MSDN 🙂 but JScript.Encode!!! Yet another place. I wonder what else remains undiscovered…. setTimeout(“#@~^CAAAAA==C^+.D`8#mgIAAA==^#~@”,0,’JScript.Encode’); setInterval(“#@~^CAAAAA==C^+.D`8#mgIAAA==^#~@”,0,’JScript.Encode’);

Setters using VBS and constant hacks

I wasn’t gonna blog this because I couldn’t be bothered but Mario asked me if I had it documented anywhere and I guess it’s nice to have it somewhere. So I was looking to create setters in legacy browsers like IE7 and it would be nice to use them on custom objects in IE8. I […]

Sandboxed DOM API

Description I finally sat down and started work on a sandboxed DOM API. Originally I was just going to develop a new framework because the DOM is messy but instead I decided it would be cool to have a safe simulated DOM instead and build a framework on top of that. It isn’t complete yet […]