Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: Previous12
Current Page: 2 of 2
Re: JavaScript that should not run - but does for reasons only Brendan Eich knows - if at all...
Posted by: Gareth Heyes
Date: June 07, 2010 06:09AM

Oh and if you guess what this alerts without running it you are Brendan Eich:-

Object.prototype.__noSuchMethod__=function(s){ alert(s); };
1..*(1)


Answer:-
Object.prototype.__noSuchMethod__=function(s){ eval(s); };1.['alert(1)']()

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 06/07/2010 06:43AM by Gareth Heyes.

Options: ReplyQuote
Re: JavaScript that should not run - but does for reasons only Brendan Eich knows - if at all...
Date: June 08, 2010 03:07AM

OMG, I'm Brendan Eich!

(1..__proto__.e0=alert)(1.e0)

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)



Edited 1 time(s). Last edit at 06/08/2010 04:16AM by Jonas Magazinius.

Options: ReplyQuote
Re: JavaScript that should not run - but does for reasons only Brendan Eich knows - if at all...
Posted by: Gareth Heyes
Date: June 09, 2010 08:39AM

http://www.thespanner.co.uk/2010/06/09/can-all-mozilla-people-look-away-now-please/

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JavaScript that should not run - but does for reasons only Brendan Eich knows - if at all...
Posted by: sneak
Date: June 11, 2010 04:52AM

a=0*1.1==(<__--1.k:k1.-.1.0.-_-_{_=/. /,_[/$/]=al\u0065rt(7),_=/./,_.*+&#24826;+[((2==6?'':'k'))]==_. (0?0:1)._}_--.0.__-..-_ß_/>)-1|1&0*0*find(9);

ghgh :)

Options: ReplyQuote
Oh and if you guess what this alerts without running it you are Brendan Eich
Date: June 21, 2010 04:49AM

Oh and if you guess what this alerts without running it you are Brendan Eich:

({set length(_)alert(_),'':[].pop})['']()
({set length(_)alert(_),'':[].push})[''](2)

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)



Edited 1 time(s). Last edit at 06/21/2010 05:06AM by Jonas Magazinius.

Options: ReplyQuote
Re: Oh and if you guess what this alerts without running it you are Brendan Eich
Posted by: Anonymous User
Date: June 21, 2010 05:38AM

@Jonas Nice!

Options: ReplyQuote
Re: Oh and if you guess what this alerts without running it you are Brendan Eich
Posted by: Anonymous User
Date: June 29, 2010 05:49PM

Useful sometimes

with({a:alert})(1,a)(1)

Options: ReplyQuote
Re: Oh and if you guess what this alerts without running it you are Brendan Eich
Posted by: Gareth Heyes
Date: July 13, 2010 11:08AM

eval('ale'+[{}[111111111111111111]]+[]+[123[1111111111111]]+'rt'+[false[true]]+'(1)')

eval('a'+[,]+'l'+[,]+'e'+[,]+'r'+[,]+'t'+[,]+'(1)')

eval('ale'+[[[[[[[,],],],],],],]+'rt'+[[[[[[[,],],],],],],]+'(1)')

eval('a'+[undefined]+'l'+[undefined]+'e'+[undefined]+'r'+[undefined]+'t'+[undefined]+'('+[undefined]+'1'+[undefined]+')')

eval(<_ />.I.guess.this.will+'ale'+[<_ />.be.on.wtf.js]+'rt'+<_ />.in.about.two.years+'(1)')

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 4 time(s). Last edit at 07/13/2010 12:31PM by Gareth Heyes.

Options: ReplyQuote
Re: Oh and if you guess what this alerts without running it you are Brendan Eich
Posted by: Gareth Heyes
Date: July 15, 2010 05:11AM

var x=1; function y() { x=3; alert(x); return; const x=2;}y()// x == ?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JavaScript that should not run - but does for reasons only Brendan Eich knows - if at all...
Date: July 15, 2010 07:38AM

@Gareth - Do you mean what it will alert or what global x will be equal to after running?

My guess before running it:
alert(3)
x==1

After running it, without spoiling the surprise, WTF!!??!

Edit: Aha! Now I get it.. Nice find!

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)



Edited 1 time(s). Last edit at 07/15/2010 08:31AM by Jonas Magazinius.

Options: ReplyQuote
Re: JavaScript that should not run - but does for reasons only Brendan Eich knows - if at all...
Posted by: Gareth Heyes
Date: July 15, 2010 11:27AM

const x=1;function window(){};window.x=2;alert(window.x);// gotta love safari :D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JavaScript that should not run - but does for reasons only Brendan Eich knows - if at all...
Date: July 22, 2011 10:24AM

var x=1;
try{
y();
throw 2;
}
catch(x){
function y(){
alert(x);
}
y();
}

What will this alert in Firefox the first, second and third time you execute it?

What will this alert in Chrome?

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)

Options: ReplyQuote
Re: JavaScript that should not run - but does for reasons only Brendan Eich knows - if at all...
Posted by: barbarianbob
Date: July 22, 2011 02:06PM

It looks like they're treating blocks differently.

var y=123; { function y(){} }; y;

FF returns: function y() {}

GC returns: 123


Edit:
alert(z); { function z(){} }; alert(z);
//FF errors
//GC alerts "function z(){}" twice

var z=123; alert(z); { function z(){} }; alert(z);
//FF alerts "123", then "function z(){}"
//GC alerts "123" twice


Shouldn't function z(){} be rewritten as var z=function(){} (but inside of the block)? So that once the code goes outside the block, func z() gets kicked out of scope?



Edited 5 time(s). Last edit at 07/22/2011 02:21PM by barbarianbob.

Options: ReplyQuote
Re: JavaScript that should not run - but does for reasons only Brendan Eich knows - if at all...
Date: July 25, 2011 09:34AM

@barbarianbob: The effect is due to variable declaration hoisting. Your example (good one btw) should translate to the following, according to ECMAScript standard:

var y;
function y(){}
y=123;
{
}
y;

This is exactly what GC is doing. Firefox does something like this:

var y;
y=123;
{
y=function y(){}
}
y;

Since JS does not have block scoping, we can actually omit the blocks:

var y=123; function y(){}; y;


Explanation for my previous message:
The catch-block introduces a new scope for the caught variable. The hoisting in Chrome pulls the function out of the catch block, which makes x in the function refer to the outer x. In fact, in Chrome there is no way for the function to refer to the caught variable. This is the correct behavior according to ECMAScript standard, even though it seems counterintuative. Firefox does not follow the standard and instead create the function on-the-fly in the catch-block scope.

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)

Options: ReplyQuote
Pages: Previous12
Current Page: 2 of 2


Sorry, only registered users may post in this forum.