The JavaScript character wall

# Gareth Heyes (6 years ago)

So many years ago on the sla.ckers forums Yosuke Hasegawa posted non-alphanumeric JavaScript. We then worked together to find out the smallest possible charset required to execute non-alphanumeric JavaScript. We all broke the wall multiple times and Mario Heiderich found the character limit was 6 characters. It could not be broken.....

Enter the pipeline operator and Masato Kinugawa. He found using the specified pipeline operator he could break the wall :O. Check it out it is awesome:

speakerdeck.com/masatokinugawa/shibuya-dot-xss-techtalk-number-10

I really hope the pipeline operator gets specified and implemented by the various browsers because breaking the wall is a fantastic achievement and it's useful too.

Hi all

So many years ago on the sla.ckers forums Yosuke Hasegawa posted
non-alphanumeric JavaScript. We then worked together to find out the
smallest possible charset required to execute non-alphanumeric JavaScript.
We all broke the wall multiple times and Mario Heiderich found the
character limit was 6 characters. It could not be broken.....

Enter the pipeline operator and Masato Kinugawa. He found using the
specified pipeline operator he could break the wall :O. Check it out it is
awesome:

https://speakerdeck.com/masatokinugawa/shibuya-dot-xss-techtalk-number-10

I really hope the pipeline operator gets specified and implemented by the
various browsers because breaking the wall is a fantastic achievement and
it's useful too.

Cheers
Gareth
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20171214/308f7f2f/attachment-0001.html>

# Mike Samuel (6 years ago)

On Thu, Dec 14, 2017 at 5:39 AM, Gareth Heyes <gareth.heyes at portswigger.net>

wrote:

Hi all

So many years ago on the sla.ckers forums Yosuke Hasegawa posted non-alphanumeric JavaScript. We then worked together to find out the smallest possible charset required to execute non-alphanumeric JavaScript. We all broke the wall multiple times and Mario Heiderich found the character limit was 6 characters. It could not be broken.....

Background for other es-discussers, news.ycombinator.com/item?id=4370098 links to Yosuke Hasegawa's various obfuscator demos, and IIRC, Mario's argument about the limit is in "Web Application Obfuscation."

Gareth, is there a working 6 character contender? That ycombinator thread notes that utf-8.jp/public/jsfuck.html was broken when the spec changed the semantics of [].sort.call() so that it no longer returns the global object.

Enter the pipeline operator and Masato Kinugawa. He found using the specified pipeline operator he could break the wall :O. Check it out it is awesome:

speakerdeck.com/masatokinugawa/shibuya-dot-xss-techtalk-number-10

Looks like somebody has already put together a demo page for it: syllab.fr/projets/experiments/xcharsjs/5chars.pipeline.html

On Thu, Dec 14, 2017 at 5:39 AM, Gareth Heyes <gareth.heyes at portswigger.net>
wrote:

> Hi all
>
> So many years ago on the sla.ckers forums Yosuke Hasegawa posted
> non-alphanumeric JavaScript. We then worked together to find out the
> smallest possible charset required to execute non-alphanumeric JavaScript.
> We all broke the wall multiple times and Mario Heiderich found the
> character limit was 6 characters. It could not be broken.....
>

Background for other es-discussers,
https://news.ycombinator.com/item?id=4370098
links to Yosuke Hasegawa's various obfuscator demos, and IIRC,
Mario's argument about the limit is in "Web Application Obfuscation."

Gareth, is there a working 6 character contender?
That ycombinator thread notes that utf-8.jp/public/jsfuck.html was broken
when the spec
changed the semantics of [].sort.call() so that it no longer returns the
global object.




> Enter the pipeline operator and Masato Kinugawa. He found using the
> specified pipeline operator he could break the wall :O. Check it out it is
> awesome:
>
> https://speakerdeck.com/masatokinugawa/shibuya-dot-xss-techtalk-number-10
>

Looks like somebody has already put together a demo page for it:
https://syllab.fr/projets/experiments/xcharsjs/5chars.pipeline.html


> I really hope the pipeline operator gets specified and implemented by the
> various browsers because breaking the wall is a fantastic achievement and
> it's useful too.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20171218/cf24f308/attachment.html>

# Gareth Heyes (6 years ago)

On 18 December 2017 at 22:13, Mike Samuel <mikesamuel at gmail.com> wrote:

Gareth, is there a working 6 character contender? That ycombinator thread notes that utf-8.jp/public/jsfuck.html was broken when the spec changed the semantics of [].sort.call() so that it no longer returns the global object.

Hi Mike, Masato has broken the 6 character limit by replacing ()! with |>

because > can be used to get true or false and also call functions. You can

use [].filter and the function constructor to execute non-alphanumeric code, the sort method was just a shortcut we used before it was fixed in every browser.

On 18 December 2017 at 22:13, Mike Samuel <mikesamuel at gmail.com> wrote:

> Gareth, is there a working 6 character contender?
> That ycombinator thread notes that utf-8.jp/public/jsfuck.html was broken
> when the spec
> changed the semantics of [].sort.call() so that it no longer returns the
> global object.
>

Hi Mike, Masato has broken the 6 character limit by replacing ()! with |>
because > can be used to get true or false and also call functions. You can
use [].filter and the function constructor to execute non-alphanumeric
code, the sort method was just a shortcut we used before it was fixed in
every browser.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20171219/c6962019/attachment.html>