I saw this post from Thomas Stig Jacobsen. He uses eval to decompile the code, I thought there has to be a better way so in literally about 30 minutes I managed to do it after a few tweaks to the JSReg code base. What does non-alphanumeric JavaScript look like? $=~[];$={___:++$,$$$$:(![]+”")[$],__$:++$,$_$_:(![]+”")[$],_$_:++$,$_$$:({}+”")[$],$$_$:($[$]+”")[$],_$$:++$,$$$_:(!”"+”")[$],$__:++$,$_$:++$,$$__:({}+”")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+”")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+”")[$.__$])+((!$)+”")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!”"+”")[$.__$])+($._=(!”"+”")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!”"+”")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+”\”"+$.$_$_+(![]+”")[$._$_]+$.$$$_+”\\”+$.__$+$.$$_+$._$_+$.__+”(\\\”\\”+$.__$+$.__$+$.___+$.$$$_+(![]+”")[$._$_]+(![]+”")[$._$_]+$._$+”,\\”+$.$__+$.___+”\\”+$.__$+$.__$+$._$_+$.$_$_+”\\”+$.__$+$.$$_+$.$$_+$.$_$_+”\\”+$.__$+$._$_+$._$$+$.$$__+”\\”+$.__$+$.$$_+$._$_+”\\”+$.__$+$.$_$+$.__$+”\\”+$.__$+$.$$_+$.___+$.__+”\\\”\\”+$.$__+$.___+”)”+”\”")())(); Produced by my friend [...]

ES5 has decided for whatever reason to treat \u2028 and \u2029 (line/paragraph separators) as a new line in JavaScript this makes it in-line with regex “\s” character class. The JSON specification (to my knowledge) wasn’t changed. So although it mentions escaping characters within strings it isn’t a requirement. This means we’re left with \u2028 and [...]

A few months ago some very talented people called Jonas Magazinius aka @internot_ and Alexey Silin aka @lever_one broke JSReg. Maybe broke is the wrong word obliterated is more accurate. This was very humbling for me, I knew it wasn’t perfect this is why I tried to tempt them to break it by stating it [...]

There isn’t a lot of information about JSON hijacking out there at the minute, I will aim to provide a “news update” on the state of publicly known techniques. First off I will give a quick overview of how JSON data can be stolen and explain how JavaScript reads JSON. JavaScript’s quirky nature There is [...]

Whilst writing my own parser I found weird things in Opera’s JavaScript parser. I was testing what the various browsers allowed with unicode escapes and it turns out Opera seems more lax than others. My discovery began with the following code: try {eval(“\\u0066\\u0061\\u006c\\u0073\\u0065″);} catch(e) {alert(e);} What do you expect the undefined variable to be? It’s [...]

I did a talk in Leeds about DOM sandboxing with regular expressions, it went ok. I’m not the best speaker to be honest but with a bit more practice I’ll get there. Here are the slides:- PDF version Powerpoint slides

Thanks Pádraic So I hope you’ve enjoyed our blog fight between me and Pádraic Brady. I sense a lack of a sense if humour in his last post his blanket claims that regex html validation sucks were obviously unjustified. Anyway I was waiting for a cool XSS hole in HTMLReg from him, it never came [...]

Dear Pádraic Brady, I have not received any emails with any exploits, I am disappointed I want my HTML regex sanitiser to be broken please. Apparently you can find 2-5 vulnerabilities per solution so please execute XSS in my regex. Thanks! I’ll be very impressed if you do and I will promise to dedicate a [...]

I’ve finally added Twitter 0Auth support in Hackvertor, you can now login via Twitter to save you from remembering yet another set of creds. I plan to use the twitter features to enable realtime sharing of HVURLs and interface, maybe games and challenges too eventually. All points are reset but if you login and tell [...]

So I came across a cool post to hack the new HTML5 parser that Opera is developing, it is awesome that a vendor says hey c’mon look what we’ve done, please try and break our stuff. I couldn’t resist having a go as they asked so nicely and within minutes…. <a href=”jav&#65ascript:alert(1)”>test1</a> <a href=”jav&#97ascript:alert(1)”>test2</a> That’s [...]