The JavaScript character wall

Mike Samuel mikesamuel at gmail.com
Mon Dec 18 22:13:20 UTC 2017


On Thu, Dec 14, 2017 at 5:39 AM, Gareth Heyes <gareth.heyes at portswigger.net>
wrote:

> Hi all
>
> So many years ago on the sla.ckers forums Yosuke Hasegawa posted
> non-alphanumeric JavaScript. We then worked together to find out the
> smallest possible charset required to execute non-alphanumeric JavaScript.
> We all broke the wall multiple times and Mario Heiderich found the
> character limit was 6 characters. It could not be broken.....
>

Background for other es-discussers,
https://news.ycombinator.com/item?id=4370098
links to Yosuke Hasegawa's various obfuscator demos, and IIRC,
Mario's argument about the limit is in "Web Application Obfuscation."

Gareth, is there a working 6 character contender?
That ycombinator thread notes that utf-8.jp/public/jsfuck.html was broken
when the spec
changed the semantics of [].sort.call() so that it no longer returns the
global object.




> Enter the pipeline operator and Masato Kinugawa. He found using the
> specified pipeline operator he could break the wall :O. Check it out it is
> awesome:
>
> https://speakerdeck.com/masatokinugawa/shibuya-dot-xss-techtalk-number-10
>

Looks like somebody has already put together a demo page for it:
https://syllab.fr/projets/experiments/xcharsjs/5chars.pipeline.html


> I really hope the pipeline operator gets specified and implemented by the
> various browsers because breaking the wall is a fantastic achievement and
> it's useful too.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20171218/cf24f308/attachment.html>


More information about the es-discuss mailing list