I’ve spent a bit of time experimenting with Javascript over the
last few weeks and I thought I’d share some of the techniques used.
First of all Javascript is weird, cool and surprising language, it is
just simply not possible to learn everything it can do.
Most of these techniques were used whilst hacking/playing with the
PHPIDS
and I got addicted to finding new ways of doing things. I’ve followed a
question and answer format for this post as I think it is easier to
follow rather than one big post of techniques.
What can you do if you can’t use eval()?
In Javascript you can store references to native functions in variables so for example you can do the following:-
x=eval;
x();// calls eval
Geko based browsers also allow you to call the eval function like this:-
0['eval']('alert(/XSS/)')
So you can do stuff like, use your imagination:-
0['ev'+'al']('alert(/XSS/)');
How do I get round using certain characters/words?
Javascript supports various encoding which allows you to represent
different characters. So the following unicode example creates the eval
and alert combination:-
alert('\141\154\145\162\164\050\061\051')
So \141 translates to ‘a’ etc, when you have a string in javascript
by using “” or ” you can use unicode characters, when javascript
encounters the ‘\’ it will convert the character depending on it’s
character code.
Hex decimal encoding can also be used like the following:-
alertString = 'a\x6cert(1)';
You can also use eval to convert the character for you, for example the following produces the letter ‘a’:-
charNumber = 141;
stringQuote = "'";
backslash = "\\";
alert(eval(stringQuote + backslash + charNumber + stringQuote));
How do you call anonymous functions?
Javascript allows you to call functions when you use ‘()’ as you
already know, but you can also use it to call anonymous functions like
the following:-
new Function('alert(1)')();
The code above creates a new anonymous function and passes the string
‘alert(1)’ which is embedded into the newly created function, it then
calls executes the function. You can also combine the techniques
mentioned, like using different characters encodings to pass the string
information , you also don’t need to specify ‘new’ e.g.
Function('a\x6cert(1)')();
What can you use as variable names?
Javascript isn’t very strict and is pretty lax when it comes to
variables names for example the ‘_’ character is allowed as a variable
name or even a ‘$’ can be used as a variable name, even different
character sets are allowed for variable names.
How can you create a string?
Strings are defined using String(), ” and “” etc. What you might not
have known though is that regular expressions can also be used to create
a string, like the following examples:-
newString = /XSS/.source;
newString = /XSS/ + '';
newString = newString[1] + newString[2] + newString[3];
I really need this character but it’s not allowed, how do I get it?
Think around the problem, rather than try to access the character
directly get the information from another source. Like for example say
you wanted the colon character and you tried urlencodings and various
character encodings, you can use the URL property to gain this
information. Example:-
alert(document.URL.substr(4, 1));
I like the document.URL technique, what else is possible using similar techniques?
Surprisingly often you don’t even need to call the document object to
access some functions, so URL is available within the context of the
HTML element:-
Test
In Internet Explorer you can even set the URL property to cause XSS like this:-
Test
Are there any other ways of executing javascript in CSS?
Firefox has a few features which allow unusual Javascript execution,
among them is the -moz-binding css extension which allows you to link
XML documents using CSS. Here is an example:-
Test
How can I use XML within Javascript?
Firefox now supports XML in javascript code, you can just include the tags like this:-
testXML = Test XML string;
alert(textXML.text());
4:55 AM
Avais Waseem
Posted in: Metasploit
