Non-Alphanumeric Payloads for XSS and How they work.
So I was searching for some Obfuscation and Evasion techniques for XSS payloads when I came across a payload created by Yosuke Hasegawa. I was amazed that something like this actually worked and even after being in InfoSec for over a year, I still never knew about it.
If you are someone like me, someone who likes to deeply understand the workings of an exploit or a payload, then this blog is for you, It will focus on helping you understand how these payloads work.
Before we can begin crafting the payload, there are some concepts that you will need to know about. Hopefully, I will be able to explain them well, but if not I will also be providing links to the website to clear any doubts you may have.
Truthy and Falsey Values
Basically, Truthy and Falsey values are values which, when evaluated, will return a boolean true or false respectively.
So let’s take ‘[]’ for an example, in JavaScript, ‘[]’ represents an empty array, if we put an empty array in the Boolean() function, it will return us a boolean true.
This is because [] is a truthy value.
Now you don’t need to remember what values are truthy, there are only 6 values that are always Falsey in JS:
- false
- 0
- null
- undefined
- NaN (not a number)
- ‘’ ”” `` (empty string)
Everything else is Truthy, even the string, ‘false’ as it is not an empty string.
You can learn more about truthy and falsey values from here.
Generating Characters
In JS, you can convert an Integer, Boolean value, and even, an entire array to a string by concatenating it with + “”.
As explained before, [] is a truthy value, but by itself when not being used as a condition or in a logical equation, it is an array object. We can get a boolean value from it by simply using the ! (not) logical operator on it.
So at this point, you must be getting an idea of where I am going with this. Now that we have a string, to extract a character from it, all we need is an Index.
By the way, true and false are not the only strings you can extract, here is a list of all the strings you can make using the above-said concept.
Generating Numbers
Remember, TRUE is 1 and FALSE is 0, We are going to be using that concept to get ourselves integers.
We will use + Unary Operator with different values to generate Integers. Why this happens because + Unary Operator “attempts to convert its operand into a number”. You can find the full explanation of this behavior here.
Now you may say, if [] is a truthy value, why is it being converted to 0 and not 1? Remember I told you that [] is not a boolean value, but an object. When an object is succeeding a unary operator(+[]), the object is first converted to its primitive, For an array, the toString() function is called, which will convert the [] to “”, which is then converted to 0 as it is an empty string.
I know this may not be making sense, To properly understand these please follow the links given below:
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Unary_plus
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Data_structures#primitive_coercion
Well now that we have 1 and 0, we can just add them to get 2, 3, and so on.
With this, we can start putting together our payload.
so ‘alert’ will become:
you can use http://jsfuck.com to make a complete payload, can’t write all of it on my own, would be tiring.
So this is basically how Non-Alphanumeric payloads are created in JS. Nowadays WAF will usually identify and catch them pretty easily. But this blog was only for educational purposes.
Thanks for reading this small blog. Hopefully helped you in some way!
