JSFuck

JSFuck is an esoteric programming style of JavaScript, developed by Martin Kleppe, where code is written using a very limited set of characters: (,), [, ], +, !. The name is derived from brainfuck, an esoteric programming language which also uses a minimalistic alphabet of only punctuation. Unlike brainfuck, JSFuck is valid JavaScript code, meaning JSFuck programs can be run in any web browser or engine that interprets JavaScript.

The challenge in JSFuck lies in recreating the full set of JavaScript functions using only these six characters, which is made possible by two properties of JavaScript:

  1. It is a weakly typed programming language
  2. It allows the evaluation of any expression as any type.[1]

JSFuck was originally developed as part of an online contest aimed at improving security bypass techniques.[2] It can be used to bypass detection of malicious code submitted on websites, e.g. in cross-site scripting (XSS) attacks.[3] Another potential use of JSFuck lies in code obfuscation. An optimized version of JSFuck has been used to encode jQuery, the most used JavaScript library, in a fully functional equivalent version consisting of only six distinct characters.[4]

Encoding methods

JSFuck code is extremely "verbose": In JavaScript, the code alert("Hello World!"), which causes a pop-up window to open, is 21 characters long. In JSFuck, the same code has a length of 22948 characters. Certain single characters require far more than 1000 characters when expanded as JSFuck. This section offers an overview of how this expansion works.

Numbers

The number 0 is created by +[], where [] is the empty array and + is the unary plus, used to convert the right side to a numeric value (zero here). The number 1 is formed as +!![] or +!+[], where the boolean value true (expressed as !![] or !+[] in JSFuck) is converted into the numeric value 1 by the prepended plus sign. The digits 2 to 9 are formed by summing true $n$ times. E.g. in JavaScript true + true = 2 and true = !![] = !+[], hence 2 can be written as !![]+!![] or !+[]+!+[]. Other digits follow a similar pattern. Integers consisting of two or more digits are written, as a string, by concatenating 1-digit arrays with the plus operator. For example, the string "10" can be expressed in JavaScript as [1] + [0]. By replacing the digits with the respective JSFuck expansions, this yields to [+!+[]]+[+[]]. To get a numeric value instead of a string, one would enclose the previous expression in round or square brackets and prepend a plus, yielding to 10 = +([+!+[]]+[+[]]).

Letters

Some letters can be obtained in JSFuck by accessing single characters in the string representations of simple boolean or numeric values like "false", "true", "NaN", "undefined" with an indexer (a number in square brackets). Other tricks are needed to produce other letters - for example by casting the string 1e1000 into a number, which gives Infinity, which in turn makes the letter y accessible.[5] The following is a list of primitive values used as building blocks to produce the most simple letters.

Value JSFuck
false ![]
true !![] or !+[]
NaN +[![]]
undefined [][[]]
Infinity +(+!+[]+(!+[]+[])[!+[]+!+[]+!+[]]+[+!+[]]+[+[]]+[+[]]+[+[]])

Example: Creating the letter "a"

Proof: In JavaScript, alert((![]+[])[+!![]]) does the same as alert("a").[6]

Other constructs

The Function constructor can be used to trigger execution of JavaScript code contained in a string as if it were native JavaScript. So, for example, the statement alert(1) is equivalent to Function("alert(1)")(). The Function constructor can be retrieved in JSFuck by accessing the constructor property of a well known function, such as []["filter"] (Array.prototype.filter). And then alert(1) becomes []["filter"]["constructor"]("alert(1)")().

Character table

The characters with the shortest JSFuck expansions are listed below. Other characters can be expressed as well but will generate considerably longer code.

Character JSFuck
+ (+(+!+[]+(!+[]+[])[!+[]+!+[]+!+[]]+[+!+[]]+[+[]]+[+[]])+[])[!+[]+!+[]]
. (+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]
0 +[]
1 +!![] or +!+[]
2 !![]+!![] or !+[]+!+[]
3 !![]+!![]+!![] or !+[]+!+[]+!+[]
4 !![]+!![]+!![]+!![] or !+[]+!+[]+!+[]+!+[]
5 !![]+!![]+!![]+!![]+!![] or !+[]+!+[]+!+[]+!+[]+!+[]
6 !![]+!![]+!![]+!![]+!![]+!![] or !+[]+!+[]+!+[]+!+[]+!+[]+!+[]
7 !![]+!![]+!![]+!![]+!![]+!![]+!![] or !+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]
8 !![]+!![]+!![]+!![]+!![]+!![]+!![]+!![] or !+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]
9 !![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![] or !+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]
a (![]+[])[+!+[]]
d ([][[]]+[])[!+[]+!+[]]
e (!![]+[])[!+[]+!+[]+!+[]]
f (![]+[])[+[]]
i ([![]]+[][[]])[+!+[]+[+[]]]
I (+(+!+[]+(!+[]+[])[!+[]+!+[]+!+[]]+(+!+[])+(+[])+(+[])+(+[]))+[])[+[]]
l (![]+[])[!+[]+!+[]]
N (+[![]]+[])[+[]]
n ([][[]]+[])[+!+[]]
r (!+[]+[])[+!+[]]
s (![]+[])[!+[]+!+[]+!+[]]
t (!!+[]+[])[+[]]
u ([][[]]+[])[+[]]
y (+[![]]+[+(+!+[]+(!+[]+[])[!+[]+!+[]+!+[]]+(+!+[])+(+[])+(+[])+(+[]))])[+!+[]+[+[]]]

Security

Lacking the distinct features of "usual" JavaScript, obfuscation techniques like JSFuck can assist malicious JavaScript code in bypassing intrusion prevention systems[7] or content filters. For instance, the lack of alphanumeric characters in JSFuck on the one hand, and a flawed content filter on the other hand, allowed sellers to embed arbitrary JSFuck scripts in their eBay auction pages.[8]

References

  1. Jane Bailey/The Daily WTF: "Bidding on Security". http://thedailywtf.com/articles/bidding-on-security
  2. https://web.archive.org/web/20110301054929/http://sla.ckers.org/forum/read.php?24%2C32930 Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
  3. https://arstechnica.com/security/2016/02/ebay-has-no-plans-to-fix-severe-bug-that-allows-malware-distribution/ Ars Technica: Ebay has no plans to fix severe bugs that allows malware distribution
  4. https://github.com/fasttime/jquery-screwed jQuery JavaScript library made of only six different characters: ! ( ) + [ ]
  5. http://patriciopalladino.com/blog/2012/08/09/non-alphanumeric-javascript.html "Brainfuck Beware: JavaScript is after you!"
  6. Adapted from: https://esolangs.org/wiki/JSFuck
  7. Ré Medina, Matías A. (2012-09). Bypassing WAFs with non-alphanumeric XSS. Retrieved from http://blog.infobytesec.com/2012/09/bypassing-wafs-with-non-alphanumeric-xss.html.
  8. "eBay has no plans to fix "severe" bug that allows malware distribution [Updated]". Ars Technica.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.