6 characters are enough
Javascript
Based on Jasper Cashmore article
`A Javascript journey with only six characters`
[ ] ( ) + !
What are 6 characters?
Math.asin(0) // 0The length of encoded string is ~8k characters
6 characters are really enough
Why ?
Because we can
Obfuscation or validation check *
Why.. seriously?
One of security issues
* Check some special XSS
6 characters encoding
Function(/* any string */)()It's about how to create function *
6 characters encoding
- Get Function constructor
- Encode character set
In other words it's about how to
Function("console.log('Hello world!');")()
Any character set encoding
issue
Constuctor
issue
Now we have two issues
Let's begin
Array type convention
+[], // 0
[] + [], // ''
!+[], // true
!!+[], // false
[][[]], // undefined
Encode number
+true // 1
!+[] // true
+!+[] // 1
+[] // 0
+!+[] // 1
+!+[] +!+[] // 2
.. // ...
. // 9Now we can
Numbers to strings
+[] + [], // '0'
+!+[] + [], // '1'
+!+[] +!+[] + [], // '2'
.. // ...
. // '9'Let's convert
Encode any number
(+!+[] + []) + (+!+[] + []) // '11'Now we can
What about alphabet?
We have the following
!+[], // true
!!+[], // false
[][[]], // undefined
!+[] + [], // 'true'
!!+[] + [], // 'false'
[][[]] + [], // 'undefined'Expressions to strings
Let's convert
'true'[0] // 't'
'true'[1] // 'r'
'true'[2] // 'u'
'true'[3] // 'e'
We could get character from string
By the way
We could encode chars
(!+[]+[])[0] // 't'
(!+[]+[])[1] // 'r'
(!+[]+[])[2] // 'u'
(!+[]+[])[3] // 'e'Yippee!
But we can use characters from these strings
'true', 'false', 'undefined'
How to encode 'z' for example?
There's a method from Array.prototype
(!!+[]+[])[+[]] // 'f'
([][[]]+[])[+!+[]+!+[]+!+[]+!+[]+!+[]] // 'i'
(!!+[]+[])[+!+[]+!+[]] // 'l'
(!!+[]+[])[+!+[]+!+[]] // 'l'Now we can compose 'fill'
[]["fill"] + [] === 'function fill() { [native code] }'
Fill method increase our character set
[][
(!!+[]+[])[+[]] +
([][[]]+[])[+!+[]+!+[]+!+[]+!+[]+!+[]] +
(!!+[]+[])[+!+[]+!+[]] +
(!!+[]+[])[+!+[]+!+[]]
] + []
// 'function fill() { [native code] }'So now we can compose 'constructor'
[]["fill"]["constructor"] === Function
Hooray! We resolved first sub-issue!
[]["fill"]["constructor"]
[][
/* f */ (!!+[]+[])[+[]] +
/* i */ ([][[]]+[])[+!+[]+!+[]+!+[]+!+[]+!+[]] +
/* l */ (!!+[]+[])[+!+[]+!+[]] +
/* l */ (!!+[]+[])[+!+[]+!+[]]
][
/* c */ ([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]
+(!![]+[])[+[]]+(!![]+[])
[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]] +
/* o */ (!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]
+(![]+[])[!+[]+!+[]]+(!![]+[])
[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]] +
/* n */ ([][[]]+[])[+!+[]] +
/* s */ (![]+[])[!+[]+!+[]+!+[]] +
/* t */ (!![]+[])[+[]] +
/* r */ (!![]+[])[+!+[]] +
/* u */ ([][[]]+[])[+[]] +
/* c */ ([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]
+(!![]+[])[+[]]+(!![]+[])
[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]] +
/* t */ (!![]+[])[+[]] +
/* o */ (!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]
+(![]+[])[!+[]+!+[]]+(!![]+[])
[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]] +
/* r */ (!![]+[])[+!+[]]
]How to encode
But what about 'z'?
''['constructor'] + [] === 'function String() { [native code] }'
Convert String constructor to string
So we can use Number.prototype.toString *
Now we can compose 'toString'
(10).toString(36) // 'a'
(11).toString(36) // 'b'
.. // ...
(34).toString(36) // 'y'
(35).toString(36) // 'z'In result we can encode charset from 'a' to 'z'
Charset from 'a' to 'z'
can't provide any other character
String.fromCharCode(/* charCode */)
What about uppercase 'C'?
How to get 'C' for 'fromCharCode'
''["bold"]() // '<b></b>'
[]["fill"]["constructor"]("return escape('<')")() // '%3C'
[]["fill"]["constructor"]("return escape('<')")()[2] // 'C'
Yeah, that it is!
Yippee! We have resolved second sub-issue!
Now any character can be encoded
'String.fromCharCode(256)'
will be encoded in ~11k characters
But by the way
Note that
There's not one way only to collect alphabet's charsets
JSFuck
JSFuck is an esoteric and educational programming style based on the atomic parts of JavaScript. It uses only six different characters to write and execute code.
Hieroglyphy
Transform any javascript code to an equivalent sequence of ()[]{}!+ characters that runs in the browser!
Do you want to play with it?
(!![]+[])[+[]]+(+(+!+[]+[+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+![]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(+![]+[![]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]](!+[]+!+[]+[+!+[]])[+!+[]]+(![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+(!+[]+!+[]+[+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+![]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(+![]+[![]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]](!+[]+!+[]+[+!+[]])+(![]+[])[!+[]+!+[]+!+[]]