Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: JavaScript exploits via source code disclosure
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 07 May 2010 16:37:24 +1200

Christian Sciberras wrote:

This is a seriously flawed argument.


JS == plain text. Full Stop.

...but that has nothing to do with the reasons why.

First, because it is simply wrong (FSVO "plain text").

For just one trivial example, the following Javascript doesn't look 
anything like anything normally considered "plain text":


yet it runs as designed (and there's no need for anyone to provide an 
explanation of what it is, what it does, how it works, etc).

In the contexts in which Javascript is typically relevant, and 
specifically in this case, the colloquial "plain text" is generally 
expected to be material that can be safely transferred across the 
internet under text/plain character encoding.  While the above example 
may survive that on a binary-clean transport (like HTTP) it just might 
not on other common internet protocol transports.

And, FWIW, the ECMAScript standard says, in the first sentence of 
Section 6 ("Source Text"):

   ECMAScript source text is represented as a sequence of characters
   in the Unicode character encoding, version 3.0 or later.

Again, close-minded as it is, Unicode and "plain text" typically do NOT 
mean the same thing on the Internet (an oversight that will probably be 
"fixed" within another generation or so).

I think you confused "plain text" with "necessarily scrutable", or 


Nick FitzGerald

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]