Full Disclosure mailing list archives

Re: JavaScript exploits via source code disclosure

From: Christian Sciberras <uuf6429 () gmail com>
Date: Fri, 7 May 2010 08:19:50 +0200

OK, scratch "plain text" and instead "human readable code".
Because, let's face it, obfuscators don't do much in the face of
real/determined hackers/attackers.




On Fri, May 7, 2010 at 6:37 AM, Nick FitzGerald <nick () virus-l demon co uk>wrote:

Christian Sciberras wrote:

This is a seriously flawed argument.


Correct...

JS == plain text. Full Stop.


...but that has nothing to do with the reasons why.

First, because it is simply wrong (FSVO "plain text").

For just one trivial example, the following Javascript doesn't look
anything like anything normally considered "plain text":

  http://cecil.auckland.ac.nz/scripts/menu.js

yet it runs as designed (and there's no need for anyone to provide an
explanation of what it is, what it does, how it works, etc).

In the contexts in which Javascript is typically relevant, and
specifically in this case, the colloquial "plain text" is generally
expected to be material that can be safely transferred across the
internet under text/plain character encoding.  While the above example
may survive that on a binary-clean transport (like HTTP) it just might
not on other common internet protocol transports.

And, FWIW, the ECMAScript standard says, in the first sentence of
Section 6 ("Source Text"):

  ECMAScript source text is represented as a sequence of characters
  in the Unicode character encoding, version 3.0 or later.

Again, close-minded as it is, Unicode and "plain text" typically do NOT
mean the same thing on the Internet (an oversight that will probably be
"fixed" within another generation or so).

I think you confused "plain text" with "necessarily scrutable", or
similar.



Regards,

Nick FitzGerald


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: JavaScript exploits via source code disclosure, (continued)
- Re: JavaScript exploits via source code disclosure Marc Olive (May 06)
- Re: JavaScript exploits via source code disclosure Nick FitzGerald (May 06)
- Re: JavaScript exploits via source code disclosure Ed Carp (May 06)
  - Re: JavaScript exploits via source code disclosure Valdis . Kletnieks (May 06)
  - Re: JavaScript exploits via source code disclosure PsychoBilly (May 06)
    - Re: JavaScript exploits via source code disclosure Marsh Ray (May 06)
    - Re: JavaScript exploits via source code disclosure PsychoBilly (May 06)
    - Re: JavaScript exploits via source code disclosure Marsh Ray (May 06)
    - Re: JavaScript exploits via source code disclosure Christian Sciberras (May 06)
    - Re: JavaScript exploits via source code disclosure Nick FitzGerald (May 06)
    - Re: JavaScript exploits via source code disclosure Christian Sciberras (May 06)
  - Re: JavaScript exploits via source code disclosure Jan G.B. (May 06)
- Re: JavaScript exploits via source code disclosure Elazar Broad (May 06)
  - Re: JavaScript exploits via source code disclosure T Biehn (May 06)
- Re: JavaScript exploits via source code disclosure Elazar Broad (May 06)