Javascript:alert (1) This can be written to bypass the filter

At the Blackhat DC 2011 Conference in 2011, Ryan Barnett gave a sample JavaScript code for XSS:

($=[$=[]][(__=!$+$) [_=-~-~-~$]+ ({}+$) [_/_]+ ($$= ($_=!] +$)[_/_]+$_[+$])])()[__[_/_]+__[_+~$]+$_[_]+$$](_/_)

This is a perfectly legitimate JavaScript code that works equivalent to alert (1). It can be run on most browsers. (although I have tested the browser at hand to run, but in theory there is no guarantee that all browsers will work correctly, for the following reasons)

The benefit of this code (for hackers) is that it does not contain any characters or numbers and can escape some filter checks. For example, if an AJAX request is assumed to return a JSON that contains only numbers, then it is likely that it will simply be eval without a letter, leaving the hackers with a backdoor. The code above is simple, just alert (1), but using the same principle, you can do more complicated things, such as alert (Document.cookie). More importantly, this code reminds me once again that the hacker's imagination is limitless ... As Ryan Barnett's speech title says, "xss:the only rule is no rule".

So how does this piece of code work?

We can divide it into two parts to understand:
The first part:

($=[$=[]][(__=!$+$) [_=-~-~-~$]+ ({}+$) [_/_]+ ($$= ($_=!] +$)[_/_]+$_[+$])])()

Part II:

[__[_/_]+__[_+~$]+$_[_]+$$] (_/_)

The first part is the core, we first analyze it, first indentation:

($= [$=[]][          (__=!$+$) [_=-~-~-~$] +          ({}+$) [_/_] +          ($$= ($_=! ') +$)[_/_] + $_[+$])      ]  

Obviously, the outermost layer is (...) () in the form of a function call, we need to look at what functions are called here and what is returned. Next, we extract the assignment expression from the original code and rewrite it to the following equivalent form:

 $ = []; // 1  __ =!$+$; // 2  _ =-~-~-~$; // 3  $_=! "  +$; //  4  $$ = $_[_/_] + $_[+$]; 5  = [$][__[_]  + // 6  ({}+$) [_/_] +//7 $$ //   8 ]; // 9   $ ();  // 10  

Now let's look at the line:
1. $ first assignment to an empty array (which will be overwritten later)

2. __ =! [] + [] = False + [] = "false" This takes advantage of the forced type conversion characteristics of JavaScript operations. The first empty array is a non-null value, so! The result of [] is False (Boolean). When calculating false + [], since the array object cannot be added to the other values, a ToString conversion is made before the addition, and the ToString of the empty array is "", so in fact it evaluates to False + "". At this point, false is automatically converted to a string.  The end result is "false" + "" = "false". * * In other words, when $ is an empty array, use "+$" to convert any value to a string * *

3. When calculating ~[], ~ requires a number operand, an empty array cannot be converted directly to a number, and is treated as 0. So ~[] = ~0 =-1.

Reference:   ~ =-4  ~[3] =-4  ~[3,2] = 1  (cannot be converted to a  number)~ "3" = 4  ~ "ABC" = 1

Therefore: _ =-~-~-~[] =-~-~-( -1) =-~-~1 =-~-( -2) =-~2 =-( -3) = 3 Theoretically, you can derive 1-9 of all numbers in this way

4.! " is true, use +$ to turn it into a string"true"

5. It is important to note that the "value +[" has been used previously to obtain the string form of "value". The "+[" is 0 (a positive sign causes [] to be automatically converted to the value 0). therefore: $$ = "true" [3/3] + "true" [+[]] = "true" [1] + "true" [0] ="RT"

6. __[_] = "false" [3] = "s"

7. ({} + []) causes the empty object {} to be converted to the string "[Object Object]", so ({}+$) [_/_] = "[Object Object]" [1] = "O"

9. The $ overlay here is [[]][] S "+" O "+" RT "]. note here [[]] itself is an array containing an empty array, in fact, for this step, any one array is not related (not necessarily nested arrays), but the author cleverly put the first assignment of $ in the array inside, make the code more compact. The end result is $ = [[[]][] "sort"] = [[]].sort =Array.prototype.sort。

10. Call $ () as the final value of the entire expression. Note that $ is global in scope and is a property of window, equivalent to window.$. And Array.prototype.sort will return this. For window.$, this is window. SoThe value of the whole first part is the window itself！ Of course, the correct operation of this process relies on the current browser's Array.prototype.sort implementation to be tolerant of the case of this window.

Through the first part, we have obtained a simple method of converting any value into a string, and can produce arbitrary numeric values, and in theory we can extract most of the letters from the JavaScript system (not all of them, but not all). And we get a reference to the window. Below you can start ogled, whatever you like. Mocha haha haha!

As you can see, the 10th step above is related to the specific implementation of the browser, so there is also the possibility that some browsers need to make changes to the code.

Now look at the second part, in fact it is very clear, the only thing to note is that now $ is a function, so ~$ = ~0 (cannot be converted directly to a number as 0 processing) =-1.

[__[_/_]+__[_+~$]+$_[_]+$$] (_/_) = ["false" [1]+ "false" [ -1]]+ "true" [3]+ "RT"] (1) = ["a" + "L" + "E" + "RT"] (1)

So the whole equation is equivalent to:

window["Alert"] (1)

Finally just want to sigh again: The Hacker's imagination is infinite. It's not hard to understand the code, but the question is how they came to think of it at the beginning ...

Transferred from: http://www.javaeye.com/topic/947149