DEV Community

Richard Schloss
Richard Schloss

Posted on

JS Security Tip 05-01-2024 ICYMI

Javascript sometimes has its fair share of quirky behavior. I'll keep this one brief and to the point.

(0)['constructor']['constructor']('return someFunction') is a way to turn the string argument 'return someFunction' into an actual function that will run; i.e., most likely someone else's script. The expression can be immediately invoked with arguments. For example:
(0)['constructor']['constructor']('return alert')()('hi') is equivalent to alert('hi') which will show the popup with message "hi".

But that's not really the scary part. The scary part is that the entire string can be encoded and obfuscated with brackets (plain-text), so that the following is exactly the same as the above alert statement:

$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"(\\\"\\"+$.__$+$.__$+$.___+"\\"+$.__$+$.$_$+$.__$+"\\\"\\"+$.$__+$.___+")"+"\"")())();
Enter fullscreen mode Exit fullscreen mode

This sequence of brackets looks like it could easily appear anywhere and be mistaken for a byte stream and can easily go unnoticed since it's only 585 bytes. If you do come across a string like this, you'll definitely want to decode it using a tool like this one https://utf-8.jp/public/jjencode.html to see what it's trying to do.

This is just another reason why some browsers disallow pasting into the dev console, because even harmless-looking strings can potentially be harmful.

Top comments (0)