Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Diminutive JS Code Challenge, from OWASP
Posted by: thornmaker
Date: August 21, 2009 11:52AM

Deadline: September 18th 23:59:59 UTC
Prize: Free ticket to Stockholm, Sweden (OWASP AppSec Research 2010 conference in June 2010)
Details: see http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden and http://owaspsweden.blogspot.com/2009/08/appsec-research-2010-challenge-3.html
Goal: Just like our "Diminutive NoAlNum JS Contest" ( http://sla.ckers.org/forum/read.php?24,28687 ) but you need to alert('owasp')
Submissions: email martin.holst_swende@owasp.org and post comment at http://owaspsweden.blogspot.com/2009/08/appsec-research-2010-challenge-3.html

Options: ReplyQuote
Re: Diminutive JS Code Challenge, from OWASP
Posted by: Matt Presson
Date: August 21, 2009 12:56PM

Already made my post early this morning.

Options: ReplyQuote
Re: Diminutive JS Code Challenge, from OWASP
Posted by: Gareth Heyes
Date: August 24, 2009 06:01AM

I wrote a javascript variable analysis script which may help people translate some of this code:-

http://www.businessinfo.co.uk/labs/jstimeshift/jstimeshift.html

I plan to make a timeline later on

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Diminutive JS Code Challenge, from OWASP
Posted by: holiman
Date: August 24, 2009 01:35PM

Doesn't seem to work for me... Gets these:

Error: [logger.\xC7 = !(logger.\xB5 = !logger.\xC5 + logger.\xC5) + {}][logger.\xC7[logger.\xAA = logger.\xB5[++logger.\xC5] + logger.\xB5[logger.\xC5 - logger.\xC5], logger.\xC8 = logger.\xC5 - ~logger.\xC5] + logger.\xC7[logger.\xC8 + logger.\xC8] + logger.\xAA] is not a function
Source File: http://www.businessinfo.co.uk/labs/jstimeshift/jstimeshift.html
Line: 74

Options: ReplyQuote
Re: Diminutive JS Code Challenge, from OWASP
Posted by: holiman
Date: August 24, 2009 01:40PM

thornmaker Wrote:
> Prize: Free ticket to Stockholm, Sweden (OWASP
> AppSec Research 2010 conference in June 2010)

Disclaimer: Regarding "ticket to Stockholm" - it's a ticket to the conference. Not all-inclusive or sharp-end across the pacific or nuthin...:)

Options: ReplyQuote
Re: Diminutive JS Code Challenge, from OWASP
Posted by: Gareth Heyes
Date: August 24, 2009 04:02PM

@holiman

It has a limitation when using undefined values or object properties ATM, but I will fix this

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Diminutive JS Code Challenge, from OWASP
Posted by: Gareth Heyes
Date: August 25, 2009 08:14AM

Whoo hoo I'm winning till someone nicks some characters off me

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Diminutive JS Code Challenge, from OWASP
Posted by: Reiners
Date: August 25, 2009 10:51AM

heh, I was holding the btoa trick in the back for days (145 chars), now you spoiled it :( but I was wondering anyway why it took so long since everyone could find it in the slackers thread.

my other idea for the "p" was window.location, since you can assume that your url will start with http ... but I got it only down to 175. better than all the tries in the last days with "constructor", but now useless ;)

Options: ReplyQuote
Re: Diminutive JS Code Challenge, from OWASP
Posted by: Gareth Heyes
Date: August 25, 2009 01:34PM

@Reiners

I should learn :) wait until the contest is nearly over then post, mind you what else do we have up our sleaves ;)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Diminutive JS Code Challenge, from OWASP
Posted by: Matt Presson
Date: August 25, 2009 04:03PM

Is there any trick to generating the character combinations for btoa()?

-Matt



Edited 1 time(s). Last edit at 08/25/2009 04:03PM by Matt Presson.

Options: ReplyQuote
Re: Diminutive JS Code Challenge, from OWASP
Posted by: Gareth Heyes
Date: August 27, 2009 03:30AM

@Matt

I did a brute force and just tried to get the lowest character in the fewest lengths. To find "p" I just did something like:-

for(var i=150;i<200;i++) {
  if(/p/i.test(btoa(String.fromCharCode(i)))) {
    alert(i);
    break; 
  }
}

If the result can be reversed without throwing errors then you can simply do this:-
atob("eval")
atob("name")

So for example:-
name='alert(1)';
eval(eval(btoa("©&#158;")))

Awesome :D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Diminutive JS Code Challenge, from OWASP
Posted by: Matt Presson
Date: August 27, 2009 10:22AM

Thanks Gareth. I had previously tried your first suggestion, but with a larger data set.


-Matt

Options: ReplyQuote


Sorry, only registered users may post in this forum.