Full Disclosure mailing list archives
Re: JavaScript exploits via source code disclosure
From: Christian Sciberras <uuf6429 () gmail com>
Date: Fri, 7 May 2010 08:19:50 +0200
OK, scratch "plain text" and instead "human readable code". Because, let's face it, obfuscators don't do much in the face of real/determined hackers/attackers. On Fri, May 7, 2010 at 6:37 AM, Nick FitzGerald <nick () virus-l demon co uk>wrote:
Christian Sciberras wrote:This is a seriously flawed argument.Correct...JS == plain text. Full Stop....but that has nothing to do with the reasons why. First, because it is simply wrong (FSVO "plain text"). For just one trivial example, the following Javascript doesn't look anything like anything normally considered "plain text": http://cecil.auckland.ac.nz/scripts/menu.js yet it runs as designed (and there's no need for anyone to provide an explanation of what it is, what it does, how it works, etc). In the contexts in which Javascript is typically relevant, and specifically in this case, the colloquial "plain text" is generally expected to be material that can be safely transferred across the internet under text/plain character encoding. While the above example may survive that on a binary-clean transport (like HTTP) it just might not on other common internet protocol transports. And, FWIW, the ECMAScript standard says, in the first sentence of Section 6 ("Source Text"): ECMAScript source text is represented as a sequence of characters in the Unicode character encoding, version 3.0 or later. Again, close-minded as it is, Unicode and "plain text" typically do NOT mean the same thing on the Internet (an oversight that will probably be "fixed" within another generation or so). I think you confused "plain text" with "necessarily scrutable", or similar. Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: JavaScript exploits via source code disclosure, (continued)
- Re: JavaScript exploits via source code disclosure Marc Olive (May 06)
- Re: JavaScript exploits via source code disclosure Nick FitzGerald (May 06)
- Re: JavaScript exploits via source code disclosure Ed Carp (May 06)
- Re: JavaScript exploits via source code disclosure Valdis . Kletnieks (May 06)
- Re: JavaScript exploits via source code disclosure PsychoBilly (May 06)
- Re: JavaScript exploits via source code disclosure Marsh Ray (May 06)
- Re: JavaScript exploits via source code disclosure PsychoBilly (May 06)
- Re: JavaScript exploits via source code disclosure Marsh Ray (May 06)
- Re: JavaScript exploits via source code disclosure Christian Sciberras (May 06)
- Re: JavaScript exploits via source code disclosure Nick FitzGerald (May 06)
- Re: JavaScript exploits via source code disclosure Christian Sciberras (May 06)
- Re: JavaScript exploits via source code disclosure T Biehn (May 06)