The JavaScript character wall

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

The JavaScript character wall

Gareth Heyes
Hi all

So many years ago on the sla.ckers forums Yosuke Hasegawa posted non-alphanumeric JavaScript. We then worked together to find out the smallest possible charset required to execute non-alphanumeric JavaScript. We all broke the wall multiple times and Mario Heiderich found the character limit was 6 characters. It could not be broken.....

Enter the pipeline operator and Masato Kinugawa. He found using the specified pipeline operator he could break the wall :O. Check it out it is awesome:

https://speakerdeck.com/masatokinugawa/shibuya-dot-xss-techtalk-number-10

I really hope the pipeline operator gets specified and implemented by the various browsers because breaking the wall is a fantastic achievement and it's useful too.

Cheers
Gareth

_______________________________________________
es-discuss mailing list
[hidden email]
https://mail.mozilla.org/listinfo/es-discuss
Reply | Threaded
Open this post in threaded view
|

Re: The JavaScript character wall

Mike Samuel


On Thu, Dec 14, 2017 at 5:39 AM, Gareth Heyes <[hidden email]> wrote:
Hi all

So many years ago on the sla.ckers forums Yosuke Hasegawa posted non-alphanumeric JavaScript. We then worked together to find out the smallest possible charset required to execute non-alphanumeric JavaScript. We all broke the wall multiple times and Mario Heiderich found the character limit was 6 characters. It could not be broken.....

Background for other es-discussers, https://news.ycombinator.com/item?id=4370098
links to Yosuke Hasegawa's various obfuscator demos, and IIRC,
Mario's argument about the limit is in "Web Application Obfuscation."

Gareth, is there a working 6 character contender?
That ycombinator thread notes that utf-8.jp/public/jsfuck.html was broken when the spec
changed the semantics of [].sort.call() so that it no longer returns the global object.


 
Enter the pipeline operator and Masato Kinugawa. He found using the specified pipeline operator he could break the wall :O. Check it out it is awesome:

https://speakerdeck.com/masatokinugawa/shibuya-dot-xss-techtalk-number-10

Looks like somebody has already put together a demo page for it:
 
I really hope the pipeline operator gets specified and implemented by the various browsers because breaking the wall is a fantastic achievement and it's useful too.
 

_______________________________________________
es-discuss mailing list
[hidden email]
https://mail.mozilla.org/listinfo/es-discuss
Reply | Threaded
Open this post in threaded view
|

Re: The JavaScript character wall

Gareth Heyes
On 18 December 2017 at 22:13, Mike Samuel <[hidden email]> wrote:
Gareth, is there a working 6 character contender?
That ycombinator thread notes that utf-8.jp/public/jsfuck.html was broken when the spec
changed the semantics of [].sort.call() so that it no longer returns the global object.

Hi Mike, Masato has broken the 6 character limit by replacing ()! with |> because > can be used to get true or false and also call functions. You can use [].filter and the function constructor to execute non-alphanumeric code, the sort method was just a shortcut we used before it was fixed in every browser.

_______________________________________________
es-discuss mailing list
[hidden email]
https://mail.mozilla.org/listinfo/es-discuss