The JavaScript character wall

# Gareth Heyes (8 months ago)

So many years ago on the sla.ckers forums Yosuke Hasegawa posted non-alphanumeric JavaScript. We then worked together to find out the smallest possible charset required to execute non-alphanumeric JavaScript. We all broke the wall multiple times and Mario Heiderich found the character limit was 6 characters. It could not be broken.....

Enter the pipeline operator and Masato Kinugawa. He found using the specified pipeline operator he could break the wall :O. Check it out it is awesome:

speakerdeck.com/masatokinugawa/shibuya-dot-xss-techtalk-number-10

I really hope the pipeline operator gets specified and implemented by the various browsers because breaking the wall is a fantastic achievement and it's useful too.

# Mike Samuel (8 months ago)

On Thu, Dec 14, 2017 at 5:39 AM, Gareth Heyes <gareth.heyes at portswigger.net>

wrote:

Hi all

So many years ago on the sla.ckers forums Yosuke Hasegawa posted non-alphanumeric JavaScript. We then worked together to find out the smallest possible charset required to execute non-alphanumeric JavaScript. We all broke the wall multiple times and Mario Heiderich found the character limit was 6 characters. It could not be broken.....

Background for other es-discussers, news.ycombinator.com/item?id=4370098 links to Yosuke Hasegawa's various obfuscator demos, and IIRC, Mario's argument about the limit is in "Web Application Obfuscation."

Gareth, is there a working 6 character contender? That ycombinator thread notes that utf-8.jp/public/jsfuck.html was broken when the spec changed the semantics of [].sort.call() so that it no longer returns the global object.

Enter the pipeline operator and Masato Kinugawa. He found using the specified pipeline operator he could break the wall :O. Check it out it is awesome:

speakerdeck.com/masatokinugawa/shibuya-dot-xss-techtalk-number-10

Looks like somebody has already put together a demo page for it: syllab.fr/projets/experiments/xcharsjs/5chars.pipeline.html

# Gareth Heyes (8 months ago)

On 18 December 2017 at 22:13, Mike Samuel <mikesamuel at gmail.com> wrote:

Gareth, is there a working 6 character contender? That ycombinator thread notes that utf-8.jp/public/jsfuck.html was broken when the spec changed the semantics of [].sort.call() so that it no longer returns the global object.

Hi Mike, Masato has broken the 6 character limit by replacing ()! with |>

because > can be used to get true or false and also call functions. You can

use [].filter and the function constructor to execute non-alphanumeric code, the sort method was just a shortcut we used before it was fixed in every browser.