/code>, (, ), !, and +. The name is derived from Brainfuck
Brainfuck is an esoteric programming language created in 1993 by Urban Müller.
Notable for its extreme minimalism, the language consists of only eight simple commands, a data pointer and an instruction pointer. While it is fully Turing com ...
, an esoteric programming language that also uses a minimalistic alphabet
An alphabet is a standardized set of basic written graphemes (called letters) that represent the phonemes of certain spoken languages. Not all writing systems represent language in this way; in a syllabary, each character represents a syllab ...
of only punctuation
Punctuation (or sometimes interpunction) is the use of spacing, conventional signs (called punctuation marks), and certain typographical devices as aids to the understanding and correct reading of written text, whether read silently or aloud. A ...
. Unlike Brainfuck, which requires its own compiler
In computing, a compiler is a computer program that translates computer code written in one programming language (the ''source'' language) into another language (the ''target'' language). The name "compiler" is primarily used for programs tha ...
or interpreter, JSFuck is valid JavaScript code, meaning that JSFuck programs can be run in any web browser
A web browser is application software for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used o ...
or engine
An engine or motor is a machine designed to convert one or more forms of energy into mechanical energy.
Available energy sources include potential energy (e.g. energy of the Earth's gravitational field as exploited in hydroelectric power ...
that interprets JavaScript. JSFuck is able to recreate all JavaScript functionality using such a limited set of characters because JavaScript is a weakly typed
In computer programming, one of the many ways that programming languages are colloquially classified is whether the language's type system makes it strongly typed or weakly typed (loosely typed). However, there is no precise technical definitio ...
programming language, and it allows the evaluation of any expression as any type.
History
In July 2009, Yosuke Hasegawa created a web application called jjencode which could encode arbitrary JavaScript into an obfuscated form utilizing only the 18 symbols []()!+,\"$.:;_~=. In January 2010, an informal competition was held in the "Obfuscation" forum of the sla.ckers.org web application security site to come up with a way to get the minimum number of characters required down to less than eight: []()!+,/. Contributors to the thread managed to eliminate the need for the , and / characters. As of March 2010, an online encoder called JS-NoAlnum was available which utilized only the final set of six characters. By the end of 2010, Hasegawa made a new encoder available named JSF*ck which also used only the minimum six characters. In 2012, Martin Kleppe created a "jsfuck" project on GitHub
GitHub, Inc. () is an Internet hosting service for software development and version control using Git. It provides the distributed version control of Git plus access control, bug tracking, software feature requests, task management, cont ...
, and a JSFuck.com website with a web app using that implementation of the encoder.
JSFuck can be used to bypass detection of malicious code
Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, dep ...
submitted on website
A website (also written as a web site) is a collection of web pages and related content that is identified by a common domain name and published on at least one web server. Examples of notable websites are Google, Facebook, Amazon, and W ...
s, e.g. in cross-site scripting
Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability m ...
(XSS) attacks. Another potential use of JSFuck lies in code obfuscation
In software development, obfuscation is the act of creating source or machine code that is difficult for humans or computers to understand. Like obfuscation in natural language, it may use needlessly roundabout expressions to compose statem ...
. An optimized version of JSFuck has been used to encode jQuery
jQuery is a JavaScript library designed to simplify HTML DOM tree traversal and manipulation, as well as event handling, CSS animation, and Ajax. It is free, open-source software using the permissive MIT License. As of Aug 2022, jQuery is u ...
, a JavaScript library A JavaScript library is a library of pre-written JavaScript code that allows for easier development of JavaScript-based applications, especially for AJAX and other web-centric technologies.
Libraries
With the expanded demands for JavaScript, an ea ...
, into a fully functional version written with just the six characters.
Encoding methods
JSFuck code is extremely "verbose": In JavaScript, the code alert(" Hello World!"), which causes a pop-up window to open with the text "Hello world", is 21 characters long. In JSFuck, the same code has a length of 4325 characters. Certain single characters require far more than 1000 characters when expanded as JSFuck. This section offers an overview of how this expansion works.
Numbers
The number 0 is created by +[], where [] is the empty array data structure, array and + is the JavaScript syntax#Arithmetic, unary plus, used to Type conversion, convert the right side to a numeric value (zero here).
The number 1 is formed as +!![] or +!+[], where the Boolean data type, boolean value true (expressed as !![] or !+[] in JSFuck) is converted into the numeric value 1 by the prepended plus sign.
The digits 2 to 9 are formed by summing true the appropriate number of times. E.g. in JavaScript true + true = 2 and true = !![] = !+[], hence 2 can be written as !![]+!![] or !+[]+!+[]. Other digits follow a similar pattern.
Integers consisting of two or more digits are written, as a string, by concatenating 1-digit arrays with the plus operator.
For example, the string "10" can be expressed in JavaScript as + /code>.
By replacing the digits with the respective JSFuck expansions, this yields !+[+[+[.html" ;"title="html" ;"title="!+[">!+[+[+[">html" ;"title="!+[">!+[+[+[.
To get a numeric value instead of a string, one would enclose the previous expression in parentheses or square brackets and prepend a plus, yielding 10 = +( !+[+[+[.html" ;"title="html" ;"title="!+[">!+[+[+[">html" ;"title="!+[">!+[+[+[).
Letters
Some letters can be obtained in JSFuck by accessing single characters in the string representations of simple boolean or numeric values like "false", "true", "NaN", "undefined" with an ''indexer'' (a number in square brackets). Other tricks are needed to produce other letters – for example by casting the string 1e1000 into a number, which gives Infinity, which in turn makes the letter y accessible.
The following is a list of primitive values used as building blocks to produce the most simple letters.
:
Example: Creating the letter "a"
"a": Taken from the string "false". The second character of "false" is a, which can be accessed with:
# "false"[1]. "false" can be made from false+[], i.e. the boolean constant false plus an empty array.
# (false+[])[1]: We write false as ![] (negation applied to an empty array).
# (![]+[])[1]: 1 is a number, we can write it as +true.
# (![]+[])[+true]: Since false is ![], true is !![].
# (![]+[])[+!![ – which evaluates to "a".
Proof: In JavaScript, alert((![]+[])[+!![) does the same as alert("a").
Other constructs
The Function constructor (object-oriented programming), constructor can be used to trigger execution of JavaScript code contained in a string as if it were native JavaScript. So, for example, the statement alert(1) is equivalent to Function("alert(1)")(). The Function constructor can be retrieved in JSFuck by accessing the ''constructor'' property of a well known function, such as []["filter"] (Array.prototype.filter) or []["flat"] (Array.prototype.flat) in modern browsers. And then alert(1) becomes []["flat"]["constructor"]("alert(1)")().
Character table
The characters with the shortest JSFuck expansions are listed below. Other UTF-8
UTF-8 is a variable-length character encoding used for electronic communication. Defined by the Unicode Standard, the name is derived from ''Unicode'' (or ''Universal Coded Character Set'') ''Transformation Format 8-bit''.
UTF-8 is capable of e ...
characters can be expressed as well but will generate considerably longer code.
:
Security
Lacking the distinct features of "usual" JavaScript, obfuscation techniques like JSFuck can assist malicious JavaScript code in bypassing intrusion prevention systemsRé Medina, Matías A. (2012-09). Bypassing WAFs with non-alphanumeric XSS. Retrieved from http://blog.infobytesec.com/2012/09/bypassing-wafs-with-non-alphanumeric-xss.html. or content filters. For instance, the lack of alphanumeric characters in JSFuck and a flawed content filter allowed sellers to embed arbitrary JSFuck scripts in their eBay auction pages.
See also
* Brainfuck
Brainfuck is an esoteric programming language created in 1993 by Urban Müller.
Notable for its extreme minimalism, the language consists of only eight simple commands, a data pointer and an instruction pointer. While it is fully Turing com ...
- an esoteric programming language created in 1993 by Urban Müller.
References
External links
JSFuck - Write any JavaScript with 6 Characters: []()!+
– web application for encoding JavaScript to JSFuck
JavaScript code of the aforementioned converter
JScrewIt
- Another tool to convert JavaScript to JSFuck, wit
environment-specific optimizations
{{JavaScript
Esoteric programming languages
JavaScript