Archives for the ‘Security’ Category

Non-Alpha PHP in 6-7 charset

Alex Inführ has a pretty awesome blog post on how to execute non-alpha PHP with only $_=+();. Pretty amazing stuff please check it out here: Non-Alpha PHP in 6-7 charset. To create assert it would be 99mb! Hehe.

Tweetable PHP-Non Alpha

I started to try and break the 10 charset limit of PHP non-alpha after @InsertScript showed me that PHP Dev supports [] syntax for arrays. I wondered if it would be possible to break the limit within production PHP. At first I thought you could but then after some testing I found that there was […]

MentalJS for PHP

I decided to convert MentalJS to PHP so that the parsing can happen server side and maybe even later on allow JavaScript execution inside PHP. I found PHP really slow and has poor support for creating parsers. As an example I found that parsing jQuery in php was around 3.6-4 seconds whereas JavaScript was 100ms, […]

Opera x-domain with video tutorial

This is a pretty awesome x-domain I found and reported to Opera. It should be fixed in the latest version. Opera was leaking more properties than it should on a x-domain location but the flaw was interesting because Opera prevented access to functions like alert etc so it wasn’t directly exploitable however by using literal […]

Sandboxing and parsing jQuery in 100ms

I’ve been on a mission to create a reliable JavaScript sandbox. I started off writing one with regular expressions which was flawed because of the inability to match whole expressions and matching characters. That sandbox was called JSReg, it was broken by the very best js hackers (Alexey Silin, Jonas Magazinius, Mario Heiderich, Eduardo Vela, […]

MentalJS Sandbox/Parser

I was driving in the car on my own in a lot of traffic lights and I suddenly had an idea. To take the work I did in JSReg and make a real parser by matching starting and ending characters. I began to code it in my head as I was sitting in the lights. […]

Firefox knows what your friends did last summer

Update… Mozilla have now fixed the problem on Thursday. Not only did they take down the original release but fixed it very quickly within two days which is very impressive. Good work! I was writing some JavaScript and found that the following happens: /undefined/.test(undefined)//true The undefined value is converted to a string and then the […]

Hacking caja part 2

I was asked for a “real” exploit on Caja by one of the devs after my previous post. I opened up my custom caja hacker inspector and inspected the window or fake window. I began looking through each object/function and noticed the setTimeout code. I wondered if they made the same mistake as me and […]

Caja hacking

As you probably know I love JavaScript sandboxes and I spend a lot of spare time playing around with them on the net. One of them is Google Caja, if you don’t know what it is here is the description from the project “The Caja Compiler is a tool for making third party HTML, CSS […]

PHP nonalpha tutorial

My first post on PHP non-alpha numeric code was a bit brief, in the excitement of the discovery I failed to detail in depth the process. I’ve decided to follow up with a tutorial and hopefully explain the process better for anyone wanting to learn or improve the technique. The basis of PHP non-alphanumeric code […]