Via Jim I discovered this four minutes of delight:
…and the mid-section about Javascript behaviour is relevant to WAF bypass (previously, previously) – regarding which there are many presentations and blog posts on the web, but I still delight in this sort of thing so here are a couple of extracts:
From http://www.slideshare.net/nethemba/bypassing-web-application-firewalls
From http://security.bleurgh.net/javascript-without-letters-or-numbers
Understanding this is possible is essential for web security work because this is how you inject code that walks straight past a web application firewall.
Quite an eye-opener; and it doesn’t even get into the realms of true self-modifying or otherwise polymorphic code, but keeps with simple character substitution.
There’ll be a proof knocking around somewhere that all this turns into the Halting Problem – or at least, I’d like to think so.
Bottom line: there has to be a better way to do this stuff, which doesn’t involve client-side execution of server-supplied code. I’ve also picked up a copy of “Tangled Web”, and am finding it a real page-turner.
For readers who like this, I think you’ll also appreciate Rob Kendrick’s interesting examples of creative C abuse at https://docs.google.com/presentation/d/1h49gY3TSiayLMXYmRMaAEMl05FaJ-Z6jDOWOz3EsqqQ/edit?usp=sharing .