Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 

Pages: 12Next
Current Page: 1 of 2
Results 1 - 30 of 59
4 years ago
kangax
@Gareth I see. Well, you could always choose an identifier consisting of random characters, to lower the chance of collisions. Create it dynamically like this, for example — '$' + (Math.random() + '').slice(2)
Forum: XSS Info
4 years ago
kangax
Looks like your $A$ — the one that's used for array creation — leaks into the rest of the user code: function A(){ return 1 } [0](); // should return 1, not throw error Oh, and I assume experimental array support is in the main app now, right? (http://www.businessinfo.co.uk/labs/jsreg/arrays/jsreg.html seems to be gone)
Forum: XSS Info
4 years ago
kangax
Another bug :) /]; // throws Error but shouldn't
Forum: XSS Info
4 years ago
kangax
I don't think it's ready yet... [{},{}[[]]]; // errors out, but shouldn't
Forum: XSS Info
4 years ago
kangax
How about taking care of trailing commas? `[1,]` gives error but shouldn't.
Forum: XSS Info
4 years ago
kangax
Doesn't this return a `window` now? []['toString']()
Forum: XSS Info
4 years ago
kangax
I get error with this: [[1,1][1],[1]]
Forum: XSS Info
4 years ago
kangax
@Gareth Is there a list of things that are NOT part of jsreg — array literals, valueOf, etc. Also, what happened to `for-in`? Doesn't work again: var o = { x: 1 }; for (var p in o) alert(p); // alerts "JSREG_ITEM" Something like this seems to trip parser too: ({})[/\u0027/];
Forum: XSS Info
4 years ago
kangax
@Gareth Gotcha :)
Forum: XSS Info
4 years ago
kangax
What about: [].slice.call([1,2,3], 1)[0]; // `undefined`, should be `2`
Forum: XSS Info
4 years ago
kangax
I can't break it, but I still see bugs :) ({ toString: 1 }).hasOwnProperty('toString'); // false, should be true [1,2]['length']; // 1, should be 2 And btw, it also breaks []-based type-infererence (not sure if you care about that). Object.prototype.toString.call(function(){}); // "" not ""
Forum: XSS Info
4 years ago
kangax
@Gareth, @LeverOne Thanks. @LeverOne FWIW, Opera one with onerror works with 10.10 and lower, but not in upcoming 10.50 (tested in beta on mac).
Forum: XSS Info
4 years ago
kangax
Ah, of course... Thanks, I completely forgot about that :) Now the only question is why does this alert in Opera (10.x), but not in WebKit (nightly) or FF (3.6)? xttp://swapalease.com/lease/details/2010BMWX5.aspx?salid=" style="position:absolute;left:0;top:0;width:100%;height:100%;z-index:9999" onmousemove="alert(1);">
Forum: XSS Info
4 years ago
kangax
Noticed XSS on swapalease.com (e.g. http://swapalease.com/lease/details/2010BMWX5.aspx?salid=" onclick="alert(1);return false;"). Value of "salid" parameter is inserted into anchor's attribute, but quotes are not escaped, so it's possible to do something with "onclick" or "onmouseover". But now I'm curious if it's possible to break even more out of this
Forum: XSS Info
4 years ago
kangax
@Gareth Are you sure you want to trust native JSON parser? :)
Forum: XSS Info
4 years ago
kangax
Isn't negative slice broken in IE?
Forum: XSS Info
4 years ago
kangax
@Gareth So to create array with 1 numeric value, say — [2] — one would need to do something like — `var a = Array(); a[0] = 2`?
Forum: XSS Info
5 years ago
kangax
We need a way to create AST from string of javascript code - all with javascript. I was just thinking about something like that recently. Too bad I'm not much familiar with compilers/parsers. If we have AST of a program, then there is obviously no ambiguity between property accessors and array initializers. Otherwise, there will probably always be a way to fool sandbox parser.
Forum: XSS Info
5 years ago
kangax
Found another parser bug :) x=4/2/2/*/*/; // expected: 1, actual: SyntaxError
Forum: XSS Info
5 years ago
kangax
Also, `Error` doesn't seem to be implemented; and it's impossible to extend built-in prototypes: Array.prototype.sum = function(){ var result = 0, i = this.length; while (i--) result += this; return result; }; [1,2,3].sum(); // expected: 6, actual: TypeError
Forum: XSS Info
5 years ago
kangax
Speaking of `valueOf`: var o = { valueOf: function(){ return 1; } }; o + 1; // expected: 2, actual: 1
Forum: XSS Info
5 years ago
kangax
Gareth, in case you don't know, Mozilla finally got around to taking care of the negative indices hole that you blogged about https://bugzilla.mozilla.org/show_bug.cgi?id=507453
Forum: XSS Info
5 years ago
kangax
Quote My problem is this:- var Number = function(v) { this.x=function() { alert(1); }; this.valueOf=function() { return v } }; Number.prototype=window.Number; (new Number(1)+new Number(1)).x()// is not called :( Yeah. `(new Number(1))` is your object here, but addition operator invokes this object's `valueOf`, which returns `1` (of type Number, of course). Same happens with another operand
Forum: XSS Info
5 years ago
kangax
Yep, seems fixed now. But here's something else: for (var p in function(){}) p; // SyntaxError and `inOperator` is still being iterated over in for-in
Forum: XSS Info
5 years ago
kangax
({ toString: 1 }).hasOwnProperty('toString'); expected: true, actual: false
Forum: XSS Info
5 years ago
kangax
Is it already fixed? ({}).hasOwnProperty('x'); // still gives `true`
Forum: XSS Info
5 years ago
kangax
Allrighty :) ({ x: 1 }).hasOwnProperty('x'); // false, should be true ({}).hasOwnProperty('toString'); // true, should be false
Forum: XSS Info
5 years ago
kangax
for(var p in((/x/))) p; // ParseError for (p in[1,2,o=/x/]) p; // ParseError for(p in-1) p; // ParseError for((p)in({})) p; // ParseError
Forum: XSS Info
5 years ago
kangax
That one seems to work now, but something like this still fails: [[[1,2,3][1,2]][0]]; // expected: [3], actual: SyntaxError Also, is it something on my side or is for-in broken again? for (var p in {}) p; // ParseError
Forum: XSS Info
5 years ago
kangax
No problem. Here's another batch for you : ) 'x' in/x/; // expected: false, actual: SyntaxError 'x'in((((({x:1}))))) // expected: true, actual: SyntaxError 'x','y'in{'y':1}; // expected: true, actual: SyntaxError Speaking of comma operator (as in the last example), is it even supported? I see another case where it fails: [1,2,3][1,2]; // expected: 3, actual: 2
Forum: XSS Info
Pages: 12Next
Current Page: 1 of 2