The great thing about standards is that sometimes they are blindly followed and it’s not until maybe years down the line that you realise they got it wrong. Personally I think standards should be organically developed in code then defined in a standard once the various flaws have been ironed out. Every standard should use […]

My friend mario (he who never blogs) found XSS in facebook a couple of times. This tempted me to look at their sandbox, I didn’t register for an account but just tried breaking their FBML console. They have their own FBML (Facebook markup language) which is just a basic HTML/CSS and a separate Javascript sandbox […]

So I posted some new XSS vectors on twitter and I thought I’d share them on the blog in case anyone missed them. Safari, Chrome and Opera all support these now 🙂 We have a brand new way of auto executing XSS. Normally when you find a XSS hole within a input element that has […]

This is a fun post about a feature I found in IE that allows you to do some crazy obfuscation. I’ll start off with some simple examples:- <img src=1 language=vbs onerror=msgbox+1> <img src=1 language=vbscript onerror=msgbox+1> <img src=1 onerror=vbs:msgbox+1> So here we’re not obfuscating but I’m showing how IE accepts the language attribute and a labelled […]

I discovered a long time ago that the Javascript specification actually encourages the global RegExp object to retain the properties from the last execution of the regular expression parser. This is quite funny and stupid because as we move forward and sites start to share the same Javascript space we will leak information that we […]

For some random reason I was making a base999 number compression function, I think it was because someone posted on sla.ckers about base 62. I wanted to see how far I could compress the numbers using a higher range of characters, then it hit me. Why not use it for js compression 🙂 You see […]

So there’s a well known technique for getting Object prototypes that are not from the current window which results in a fresh prototype. You use iframes to copy the required prototype from the iframe.contentWindow BUT…It doesn’t work in all browsers and it’s pretty silly having to copy each object manually, why not just use the […]

JSReg has grown up a bit since I released the first version. You can now use it to monitor malicious javascript. I have a very basic example of this in Hackvertor, at the moment Hackvertor doesn’t support callbacks so it’s a bit of a hack but you will get the idea. I use __defineSetter__ to […]

Big thanks! I’ve done lots of updates to JSReg with some fantastic help from kangax, sirdarckcat, Thornmaker and mario. Mario found some cool parsing bugs, sirdarckcat helped with some exploits that assigned to window 🙂 and also provided some awesome code ideas and bugs. Thornmaker found ternarys cause problems with my object detection. I’d also […]

This is the first time I’ve looked at the Firefox source, really! 🙂 I wanted to find all the hidden properties Firefox has in Javascript. It was first pointed out to me by DoctorDan on the slackers forums when he found that the RegExp literal had a -1 value for the source in Firefox 2. […]