Decoding complex non-alphanumeric JavaScript
@fkadev Challenged me to decode some complex non-alpha. See here http://t.co/z7lWyIu5ka. Luckily the techniques I’ve used previously such as monitoring the Function constructor calls would work in a...
View Articlenew operator
I was playing around with new operators when I noticed something cool and unexpected. If you return a function the new operator will not create a new object instance but instead return a function. This...
View ArticleX-Domain scroll detection on IE using focus
This is a pretty cool bug. I use the focus event on an iframe to detect if the iframe has been scrolled x-domain. It’s because IE fires the onfocus event of the iframe when the scroll occurs. This...
View ArticleSandboxed jQuery
My new personal challenge was to get jQuery working correctly in a sandboxed environment this proved to be really tricky. The first problem I encountered was my fake DOM environment wasn’t returning...
View ArticleBypassing the XSS filter using function reassignment
The XSS filter introduced in IE8 is a really powerful defence against XSS. I tested the filter for a number of years and found various bypasses one of which I would like to share with you now. You can...
View ArticleMentalJS bypasses
I managed to find time to fix a couple of MentalJS bypasses by LeverOne and Soroush Dalili (@irsdl). LeverOne’s vector was outstanding since it bypassed the parsing itself which is no easy task. The...
View ArticleMentalJS DOM bypass
Ruben Ventura (@tr3w_) found a pretty cool bypass of MentalJS. He used insertBefore with a null second argument which allows you to insert a node into the dom and bypass my sandboxing restrictions. The...
View ArticleHow I smashed MentalJS
.codeblock { white-space: pre; border: 1px dotted blue; background-color: lightblue; font-family: monospace; } code { border: 1px dotted blue; background-color: lightblue; } I’m proud to introduce a...
View ArticleNew IE mutation vector
I was messing around with a filter that didn’t correctly filter attribute names and allowed a blank one which enabled me to bypass it. I thought maybe IE had similar issues when rewriting innerHTML....
View ArticleRewriting relative urls with the base tag in Safari
I tweeted this a while ago but Twitter sucks when it comes to finding anything and I thought it was good enough for a blog post. Way back in Safari 3.0 and Internet Explorer 5.5 and the old Opera you...
View Article
More Pages to Explore .....