Anyone want to guess what this does in javascript?
-
Thank you very much. We now need an article and some techniques to protect against JavaScript Injection Attacks. :)
Luc Pattyn [Forum Guidelines] [My Articles] Nil Volentibus Arduum
Please use <PRE> tags for code snippets, they preserve indentation, improve readability, and make me actually look at the code.
If i had the time, you can write it and use my code example.
"I do not know with what weapons World War 3 will be fought, but World War 4 will be fought with sticks and stones." Einstein "Few things are harder to put up with than the annoyance of a good example." Mark Twain
-
If i had the time, you can write it and use my code example.
"I do not know with what weapons World War 3 will be fought, but World War 4 will be fought with sticks and stones." Einstein "Few things are harder to put up with than the annoyance of a good example." Mark Twain
I don't think I know enough about the subject to warrant an article. :)
Luc Pattyn [Forum Guidelines] [My Articles] Nil Volentibus Arduum
Please use <PRE> tags for code snippets, they preserve indentation, improve readability, and make me actually look at the code.
-
I don't think I know enough about the subject to warrant an article. :)
Luc Pattyn [Forum Guidelines] [My Articles] Nil Volentibus Arduum
Please use <PRE> tags for code snippets, they preserve indentation, improve readability, and make me actually look at the code.
Me neither, we should get john to do it
"I do not know with what weapons World War 3 will be fought, but World War 4 will be fought with sticks and stones." Einstein "Few things are harder to put up with than the annoyance of a good example." Mark Twain
-
I don't think I know enough about the subject to warrant an article. :)
Luc Pattyn [Forum Guidelines] [My Articles] Nil Volentibus Arduum
Please use <PRE> tags for code snippets, they preserve indentation, improve readability, and make me actually look at the code.
Here I just made a tip or trick out of it. http://www.codeproject.com/Tips/196535/Javascript-Injection-at-its-Finest-without-even-us.aspx[^]
"I do not know with what weapons World War 3 will be fought, but World War 4 will be fought with sticks and stones." Einstein "Few things are harder to put up with than the annoyance of a good example." Mark Twain
-
String.prototype.code = function(){ return (new Function('with(this) { return ' + this + '}' )).call({}); };
var s = 'alert("hello!");'
s.code();
"I do not know with what weapons World War 3 will be fought, but World War 4 will be fought with sticks and stones." Einstein "Few things are harder to put up with than the annoyance of a good example." Mark Twain
modified on Sunday, May 15, 2011 12:54 PM
I don't know why you needed to modify the string prototype, but Function and eval both allow you to dynamically execute javascript. You can also just type it directly into the address bar, use a bookmarklet or a debug console.
Curvature of the Mind now with 3D
-
String.prototype.code = function(){ return (new Function('with(this) { return ' + this + '}' )).call({}); };
var s = 'alert("hello!");'
s.code();
"I do not know with what weapons World War 3 will be fought, but World War 4 will be fought with sticks and stones." Einstein "Few things are harder to put up with than the annoyance of a good example." Mark Twain
modified on Sunday, May 15, 2011 12:54 PM
Hi VectorX, That code fragment just tells me that JavaScript, like LISP, and PostScript, happens to be a programming language in which the distinction between groups of characters and executable code is trivial to blur. best, Bill
"Many : not conversant with mathematical studies, imagine that because it [the Analytical Engine] is to give results in numerical notation, its processes must consequently be arithmetical, numerical, rather than algebraical and analytical. This is an error. The engine can arrange and combine numerical quantities as if they were letters or any other general symbols; and it fact it might bring out its results in algebraical notation, were provisions made accordingly." Ada, Countess Lovelace, 1844
-
String.prototype.code = function(){ return (new Function('with(this) { return ' + this + '}' )).call({}); };
var s = 'alert("hello!");'
s.code();
"I do not know with what weapons World War 3 will be fought, but World War 4 will be fought with sticks and stones." Einstein "Few things are harder to put up with than the annoyance of a good example." Mark Twain
modified on Sunday, May 15, 2011 12:54 PM
-
String.prototype.code = function(){ return (new Function('with(this) { return ' + this + '}' )).call({}); };
var s = 'alert("hello!");'
s.code();
"I do not know with what weapons World War 3 will be fought, but World War 4 will be fought with sticks and stones." Einstein "Few things are harder to put up with than the annoyance of a good example." Mark Twain
modified on Sunday, May 15, 2011 12:54 PM
-
Thank you very much. We now need an article and some techniques to protect against JavaScript Injection Attacks. :)
Luc Pattyn [Forum Guidelines] [My Articles] Nil Volentibus Arduum
Please use <PRE> tags for code snippets, they preserve indentation, improve readability, and make me actually look at the code.
There is absolutly no need to protect against Javascript injection. Just asume it is not safe. It runs on the "attackers" machine in his/her browser. They can mess with anything they want anyway. Your application defenses should be on the server side anyway. On the other hand, using Javascript's ability to dynamically eval code from string can be extremely powerfull. --- Adar Wesley
-
There is absolutly no need to protect against Javascript injection. Just asume it is not safe. It runs on the "attackers" machine in his/her browser. They can mess with anything they want anyway. Your application defenses should be on the server side anyway. On the other hand, using Javascript's ability to dynamically eval code from string can be extremely powerfull. --- Adar Wesley
I can see your point.
Adar Wesley wrote:
Your application defenses should be on the server side anyway.
Absolutely, the main defenses are the ones on the server, I agree. :)
Luc Pattyn [Forum Guidelines] [My Articles] Nil Volentibus Arduum
Please use <PRE> tags for code snippets, they preserve indentation, improve readability, and make me actually look at the code.