Asp Forum - alternatives to eval - comp.lang.javascript

gandalf23

11/21/2014 4:23:00 PM

I'm studying web app hacking, in particular XSS.
The book I'm reading says:

--->
If direct calls to the eval command are not possible, you have other ways to
execute commands in string form:
<script>'alert(1)'.replace(/.+/,eval)</script>
<script>function::['alert'](1)</script>
<---

I don't understand the use of eval above and I don't know what "function::" is.

13 Answers

Bala

11/21/2014 5:35:00 PM

On Friday, November 21, 2014 8:23:37 AM UTC-8, gand...@mail.com wrote:
> I'm studying web app hacking, in particular XSS.
> The book I'm reading says:
>
> --->
> If direct calls to the eval command are not possible, you have other ways to
> execute commands in string form:
> <script>'alert(1)'.replace(/.+/,eval)</script>
> <script>function::['alert'](1)</script>
> <---
>
> I don't understand the use of eval above and I don't know what "function::" is.

May i know what book you are reading

Thanks,
Bala

Sean Hagen

11/21/2014 6:06:00 PM

> 'alert(1)'.replace(/.+/,eval)

This one seems to actually send 'alert(1)' to the eval function,
although I'm not entirely sure how.

> function::['alert'](1)

No idea on this one, running it in the Chrome Dev console does nothing.

Thomas 'PointedEars' Lahn

11/21/2014 7:01:00 PM

Sean Hagen wrote:

> [gandalf23@mail.com wrote: ]
>> 'alert(1)'.replace(/.+/,eval)
>
> This one seems to actually send 'alert(1)' to the eval function,
> although I'm not entirely sure how.

â??evalâ? is a built-in function; precisely, it is an identifier that refers to
a Function instance that is a property of the global object. [0]

A reference to a function can be passed as second argument of
String.prototype.replace(). [1] The value that the function returns when
called is used to replace the substring(s) that is/are matched by the
regular expression specified by reference to an object whose [[Class]] is
"RegExp" as the first argument, or the result of conversion of the latter to
a String value, in which case only the first match is replaced. In any
case, the match, which is represented by a string value, is passed as first
argument to the callable. (Matches for captures, if any, are passed as
subsequent arguments, and the last two arguments are the index position of
the match and the string matched against.) [1]

When passed a string value as first argument, eval() evaluates that value as
a /Program/. [0] Since the last result in the Program is the â??undefinedâ?
value which window.alert() returns (in this environment, there is a wrapper
host object in the scope chain that by casual inspection often is
indistinguishable from the native global object), and
String.prototype.replace() returns the string representation of that value
[1], the Chrome Dev Console shows the string value "undefined".

Bottom line: This code is the error-prone, inefficient equivalent of

window.alert(1);

>> function::['alert'](1)
>
> [â?¦] running [this] in the Chrome Dev console does nothing.

But here it is shown as what it is: a syntax error in conforming
implementations of ECMAScript (up to Edition 5.1), assuming no syntax
extensions, conforming or otherwise, are implemented:

| >>> function::['alert'](1)
| SyntaxError: Unexpected token :

Tested in navigator.userAgent === "Mozilla/5.0 (X11; Linux i686)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36".

Please include an attribution line for quotations, see the FAQ.

__________
[0] <http://ecma-international.org/ecma-262/5.1/#sec-15...
[1] <http://ecma-international.org/ecma-262/5.1/#sec-15....
[2] <http://ecma-international.org/ecma-262/5.1/#sec-...
--
PointedEars
FAQ: <http://PointedEars.... | SVN: <http://PointedEars.de...
Twitter: @PointedEars2 | ES Matrix: <http://PointedEars.de/es-...
Please do not cc me. / Bitte keine Kopien per E-Mail.

gandalf23

11/21/2014 7:10:00 PM

On Friday, November 21, 2014 6:35:06 PM UTC+1, Bala wrote:
> May i know what book you are reading

http://www.amazon.com/The-Web-Application-Hackers-Handbook/dp/...

gandalf23

11/21/2014 7:48:00 PM

On Friday, November 21, 2014 8:01:19 PM UTC+1, Thomas 'PointedEars' Lahn wrote:
> Sean Hagen wrote:
> > [gandalf23@mail.com wrote: ]
> >> function::['alert'](1)
> >
> > [...] running [this] in the Chrome Dev console does nothing.
>
> But here it is shown as what it is: a syntax error in conforming
> implementations of ECMAScript (up to Edition 5.1), assuming no syntax
> extensions, conforming or otherwise, are implemented:
>
> | >>> function::['alert'](1)
> | SyntaxError: Unexpected token :
>
> Tested in navigator.userAgent === "Mozilla/5.0 (X11; Linux i686)
> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36".

Maybe it works on some old version of Internet Explorer.

Thomas 'PointedEars' Lahn

11/21/2014 8:09:00 PM

gandalf23@mail.com wrote:
^^^^^^^^^^^^^^^^^^
Please fix.

> [â?¦] Thomas 'PointedEars' Lahn wrote:
>> | >>> function::['alert'](1)
>> | SyntaxError: Unexpected token :
>>
>> Tested in navigator.userAgent === "Mozilla/5.0 (X11; Linux i686)
>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153
>> Safari/537.36".
>
> Maybe it works on some old version of Internet Explorer.

Please refrain from making guesses until you can make educated ones. TIA.

--
PointedEars
FAQ: <http://PointedEars.... | SVN: <http://PointedEars.de...
Twitter: @PointedEars2 | ES Matrix: <http://PointedEars.de/es-...
Please do not cc me. / Bitte keine Kopien per E-Mail.

Evertjan.

11/21/2014 9:41:00 PM

Thomas 'PointedEars' Lahn <PointedEars@web.de> wrote on 21 nov 2014 in
comp.lang.javascript:

> Please refrain from making guesses until you can make educated ones. TIA.

Guessing is an important part of education, I guess.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

gandalf23

11/21/2014 10:20:00 PM

On Friday, November 21, 2014 9:09:36 PM UTC+1, Thomas 'PointedEars' Lahn wrote:
> gandalf23@mail.com wrote:
> ^^^^^^^^^^^^^^^^^^
> Please fix.

No, I like it that way.

>
> > [...] Thomas 'PointedEars' Lahn wrote:
> >> | >>> function::['alert'](1)
> >> | SyntaxError: Unexpected token :
> >>
> >> Tested in navigator.userAgent === "Mozilla/5.0 (X11; Linux i686)
> >> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153
> >> Safari/537.36".
> >
> > Maybe it works on some old version of Internet Explorer.
>
> Please refrain from making guesses until you can make educated ones. TIA.

Please refrain from making requests until you can make reasonable ones.

Thomas 'PointedEars' Lahn

11/26/2014 9:11:00 PM

Evertjan. wrote:

> Thomas 'PointedEars' Lahn wrote:
>> Please refrain from making guesses until you can make educated ones.
>> TIA.
>
> Guessing is an important part of education, I guess.

Guess again.

--
PointedEars
FAQ: <http://PointedEars.... | SVN: <http://PointedEars.de...
Twitter: @PointedEars2 | ES Matrix: <http://PointedEars.de/es-...
Please do not cc me. / Bitte keine Kopien per E-Mail.

Evertjan.

11/26/2014 11:29:00 PM

Thomas 'PointedEars' Lahn <PointedEars@web.de> wrote on 26 nov 2014 in
comp.lang.javascript:

> Evertjan. wrote:
>
>> Thomas 'PointedEars' Lahn wrote:
>>> Please refrain from making guesses until you can make educated ones.
>>> TIA.
>>
>> Guessing is an important part of education, I guess.
>
> Guess again.

Don't be so patronizing,
your knowledge does not include much selfknowledge.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

comp.lang.javascript

alternatives to eval

gandalf23

Bala

Sean Hagen

Thomas 'PointedEars' Lahn

gandalf23

gandalf23

Thomas 'PointedEars' Lahn

Evertjan.

gandalf23

Thomas 'PointedEars' Lahn

Evertjan.

x Login to ForumsZone