Filter Evasion

Javascript

Base64 encoded payload

eval(atob(<b64>))
[].contructor.contructor(atob(<b64>))()

setTimeout(atob(<b64>))
setInterval(atob(<b64>))
Function(atob(<b64>))

Loose typing conversions

Boolean FALSE

![]
!{}
!!""
[]=={}

Boolean TRUE

!![]
!!{}
!""
[]==""

Convert a boolean to literal string (i.e. "true" and "false"). Works with any of the comparisons listed above

![]+""    #FALSE
!![]+""   #TRUE

Integer 0, can be implicitly casted to FALSE

+""
-""
-+-+""
+[]
-[]
-+-+[]
![]+![]
![]+!{}
![]+!!""

Integer 1, can be implicitly casted as TRUE. To obtain 1 we sum FALSE to TRUE

+!![]
![]+!""
![]+!![]
~[]*~[]
++[[]][+[]]

To generate other Integer numbers simply sum the expression of one to itself 2 or more times

+!![]                    #1
+!![]+!![]               #2
+!![]+!![]+!![]          #3
+!![]+!![]+!![]+!![]     #4

String characters

![]+""        # "false"
!![]+""       # "true"
{}+[]         # "[object Object]"
[]/[]+""      # "NaN"
!![]/![]+""   # "Infinity"

Extract a character from a string. By combining integer expressions for indexes and strings generated by the expression above it is possible to access the single characters and combine them to form malicious instructions and bypass filters

(!![]/![]+"")[+!![]]    #is equal to "Infinity"[1] --> "n"

URI Obfuscation

Automatic login

http://<user>:<pass>@<domain>/<url>

Host obfuscation

http://0110.0220.0330.0440    #OCT format
http://0x0a0b0c0d             #HEX format without split
http://0x0a.0x0b.0x0c.0x0d    #HEX format split
http://4278190337             #DWORD (1.1.1.1 --> 0x01010101 --> #16843009)