Community hub
0 subscribers7 pages, 0 posts
Recent from talks
All channels
Be the first to start a discussion here.
Be the first to start a discussion here.
Be the first to start a discussion here.
Be the first to start a discussion here.
Contribute something
Welcome to the community hub built to collect knowledge and have discussions related to JSFuck.
Nothing was collected or created yet.
JSFuck
View on Wikipediafrom Wikipedia
JSFuck is an esoteric subset of JavaScript, where code is written using only six characters: [, ], (, ), !, and +. The name is derived from Brainfuck, an esoteric programming language that also uses a minimalistic alphabet of only punctuation. Unlike Brainfuck, which requires its own compiler or interpreter, JSFuck is valid JavaScript code, meaning that JSFuck programs can be run in any web browser or engine that interprets JavaScript. JSFuck is able to recreate all JavaScript functionality using such a limited set of characters because JavaScript allows the evaluation of any expression as any type.[1]
History
[edit]In July 2009, Yosuke Hasegawa created a web application called jjencode which could encode arbitrary JavaScript into an obfuscated form utilizing only the 18 symbols []()!+,\"$.:;_{}~=.[2][3] In January 2010, an informal competition was held in the "Obfuscation" forum of the sla.ckers.org web application security site to come up with a way to get the minimum number of characters required down to less than eight: []()!+,/. Contributors to the thread managed to eliminate the need for the , and / characters.[4] As of March 2010, an online encoder called JS-NoAlnum was available which utilized only the final set of six characters.[5] By the end of 2010, Hasegawa made a new encoder available named JSF*ck which also used only the minimum six characters.[6][7] In 2012, Martin Kleppe created a "jsfuck" project on GitHub,[8] and a JSFuck.com website with a web app using that implementation of the encoder.[9]
JSFuck can be used to bypass detection of malicious code submitted on websites, e.g. in cross-site scripting (XSS) attacks.[10] Another potential use of JSFuck lies in code obfuscation. An optimized version of JSFuck has been used to encode jQuery, a JavaScript library, into a fully functional version written with just the six characters.[11]
Encoding methods
[edit]JSFuck code is extremely "verbose": In JavaScript, the code alert("Hello World!"), which causes a pop-up window to open with the text "Hello world", is 21 characters long. In JSFuck, the same code has a length of 4325 characters.[12] Certain single characters require far more than 1000 characters when expanded as JSFuck. This section offers an overview of how this expansion works.
Numbers
[edit]The number 0 is created by +[], where [] is the empty array and + is the unary plus, used to convert the right side to a numeric value (zero here).
The number 1 is formed as +!![] or +!+[], where the boolean value true (expressed as !![] or !+[] in JSFuck) is converted into the numeric value 1 by the prepended plus sign.
The digits 2 to 9 are formed by summing true the appropriate number of times. E.g. in JavaScript true + true = 2 and true = !![] = !+[], hence 2 can be written as !![]+!![] or !+[]+!+[]. Other digits follow a similar pattern.
Integers consisting of two or more digits are written, as a string, by concatenating 1-digit arrays with the plus operator.
For example, the string "10" can be expressed in JavaScript as [1] + [0].
By replacing the digits with the respective JSFuck expansions, this yields [+!+[]]+[+[]].
To get a numeric value instead of a string, one would enclose the previous expression in parentheses or square brackets and prepend a plus, yielding 10 = +([+!+[]]+[+[]]).
Letters
[edit]Some letters can be obtained in JSFuck by accessing single characters in the string representations of simple boolean or numeric values like "false", "true", "NaN", "undefined" with an indexer (a number in square brackets). Other tricks are needed to produce other letters – for example by casting the string 1e1000 into a number, which gives Infinity, which in turn makes the letter y accessible.[13]
The following is a list of primitive values used as building blocks to produce the most simple letters.
Value JSFuck false![]true!![]or!+[]NaN+[![]]undefined[][[]]Infinity+(+!+[]+(!+[]+[])[!+[]+!+[]+!+[]]+[+!+[]]+[+[]]+[+[]]+[+[]])
Example: Creating the letter "a"
[edit]"a": Taken from the string "false". The second character of "false" is a, which can be accessed with:
"false"[1]."false"can be made fromfalse+[], i.e. the boolean constant false plus an empty array.(false+[])[1]: We write false as.(![]+[])[1]: 1 is a number, we can write it as+true.(![]+[])[+true]: Since false is![], true is!![].(![]+[])[+!![]]– which evaluates to "a".
Proof: In JavaScript, alert((![]+[])[+!![]]) does the same as alert("a").[14]
Other constructs
[edit]The Function constructor can be used to trigger execution of JavaScript code contained in a string as if it were native JavaScript. So, for example, the statement alert() is equivalent to Function("alert()")().
The Function constructor can be retrieved in JSFuck by accessing the constructor property of a well known function, such as []["filter"] (Array.prototype.filter), so alert() can be executed with []["filter"]["constructor"]("alert()")().
In modern browsers functions with shorter names are available, such as []["flat"] (Array.prototype.flat)[15] and []["at"] (Array.prototype.at).[16]
Character table
[edit]The characters with the shortest JSFuck expansions are listed below. Other UTF-8 characters can be expressed as well but will generate considerably longer code.
Character JSFuck +(+(+!+[]+(!+[]+[])[!+[]+!+[]+!+[]]+[+!+[]]+[+[]]+[+[]])+[])[!+[]+!+[]].(+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]0+[]1+!![]
or+!+[]2!![]+!![]
or!+[]+!+[]3!![]+!![]+!![]
or!+[]+!+[]+!+[]4!![]+!![]+!![]+!![]
or!+[]+!+[]+!+[]+!+[]5!![]+!![]+!![]+!![]+!![]
or!+[]+!+[]+!+[]+!+[]+!+[]6!![]+!![]+!![]+!![]+!![]+!![]
or!+[]+!+[]+!+[]+!+[]+!+[]+!+[]7!![]+!![]+!![]+!![]+!![]+!![]+!![]
or!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]8!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]
or!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]9!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]
or!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]a(![]+[])[+!+[]]c([]+[][(![]+[])[+!![]]+(!![]+[])[+[]]])[!![]+!![]+!![]]d([][[]]+[])[!+[]+!+[]]e(!![]+[])[!+[]+!+[]+!+[]]f(![]+[])[+[]]i([![]]+[][[]])[+!+[]+[+[]]]I(+(+!+[]+(!+[]+[])[!+[]+!+[]+!+[]]+(+!+[])+(+[])+(+[])+(+[]))+[])[+[]]l(![]+[])[!+[]+!+[]]N(+[![]]+[])[+[]]n([][[]]+[])[+!+[]]o(!![]+[][(![]+[])[+!![]]+(!![]+[])[+[]]])[+!![]+[+[]]]r(!+[]+[])[+!+[]]s(![]+[])[!+[]+!+[]+!+[]]t(!+[]+[])[+[]]u([][[]]+[])[+[]]y(+[![]]+[+(+!+[]+(!+[]+[])[!+[]+!+[]+!+[]]+(+!+[])+(+[])+(+[])+(+[]))])[+!+[]+[+[]]](([]+[][(![]+[])[+!![]]+(!![]+[])[+[]]])[+!![]+[]+(+!![])])([]+[][(![]+[])[+!![]]+(!![]+[])[+[]]])[+!![]+[]+(!![]+!![])]
Security
[edit]Lacking the distinct features of "usual" JavaScript, obfuscation techniques like JSFuck can assist malicious JavaScript code in bypassing intrusion prevention systems[17] or content filters. For instance, the lack of alphanumeric characters in JSFuck and a flawed content filter allowed sellers to embed arbitrary JSFuck scripts in their eBay auction pages.[10]
See also
[edit]References
[edit]- ^ Jane Bailey/The Daily WTF: "Bidding on Security". https://thedailywtf.com/articles/bidding-on-security
- ^ Hasegawa, Yosuke (2009-07-10). "jjencode - Encode any JavaScript program using only symbols". utf-8.jp. Archived from the original on 2009-07-15. Retrieved 2017-10-25.
- ^ Hasegawa, Yosuke (July 2009). "UTF-8.jp [2009-07-28]". utf-8.jp. Archived from the original on 2009-07-28. Retrieved 2017-10-25.
- ^ "Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code". sla.ckers.org. 2010-01-14. Archived from the original on 2011-03-01. Retrieved 2017-10-25.
- ^ "js-noalnum_com.php". discogscounter.getfreehosting.co.uk. Archived from the original on 2010-03-01. Retrieved 2017-10-25.
- ^ Aiko, Kenji (November 2010). "JSF*ck - []()!+". utf-8.jp. Archived from the original on 2010-12-01. Retrieved 2017-10-25.
- ^ Hasegawa, Yosuke (November 2010). "UTF-8.jp [2010-11-30]". utf-8.jp. Archived from the original on 2010-11-30. Retrieved 2017-10-25.
- ^ Kleppe, Martin (2012-07-16). "Commits · aemkei/jsfuck". github.com. Retrieved 2017-10-25.
- ^ Kleppe, Martin (September 2012). "Site report for www.jsfuck.com". toolbar.netcraft.com. Retrieved 2017-10-25.
- ^ a b Dan Goodin (3 February 2016). "eBay has no plans to fix "severe" bug that allows malware distribution [Updated]". Ars Technica.
- ^ https://github.com/fasttime/jquery-screwed jQuery JavaScript library made of only six different characters: ! ( ) + [ ]
- ^ "JScrewIt". JScrewIt. Retrieved 13 June 2021.
- ^ https://patriciopalladino.com/blog/2012/08/09/non-alphanumeric-javascript.html "Brainfuck Beware: JavaScript is after you!"
- ^ Adapted from: https://esolangs.org/wiki/JSFuck
- ^ Array.prototype.flat() compatibility data at MDN
- ^ Array.prototype.at() compatibility data at MDN
- ^ Ré Medina, Matías A. (2012-09). Bypassing WAFs with non-alphanumeric XSS. Retrieved from http://blog.infobytesec.com/2012/09/bypassing-wafs-with-non-alphanumeric-xss.html.
- ^ Easter, Brandee (2020-04-02). "Fully Human, Fully Machine: Rhetorics of Digital Disembodiment in Programming". Rhetoric Review. 39 (2): 202–215. doi:10.1080/07350198.2020.1727096. ISSN 0735-0198. S2CID 219665562.
External links
[edit]- JSFuck - Write any JavaScript with 6 Characters: []()!+ – web application for encoding JavaScript to JSFuck
- JavaScript code of the aforementioned converter
- JScrewIt - Another tool to convert JavaScript to JSFuck, with environment-specific optimizations
- Esolang - The esoteric programming languages wiki
JSFuck
View on Grokipediafrom Grokipedia
History and Development
Origins in Obfuscation
The practice of JavaScript obfuscation gained traction in the late 2000s as developers sought methods to conceal code for security or competitive purposes, often experimenting with non-alphanumeric symbols to evade detection or minimize readability. A pivotal early example was jjencode, a web-based encoder developed by Japanese security researcher Yosuke Hasegawa in July 2009.[1] jjencode transformed arbitrary JavaScript into an obfuscated form using 18 symbols—[]()!+,\"$.:;_{}~=—by exploiting the language's constructor functions, array manipulations, and type coercions to build executable code without letters or numbers. Intended more as a proof-of-concept than a robust security tool, it highlighted JavaScript's flexibility for symbol-only programming, though it was easily decodable and detectable by antivirus systems.
This innovation emerged amid a broader culture of JavaScript code golf and obfuscation challenges in online programming forums, where enthusiasts competed to produce the shortest or most cryptic code for given tasks. By the mid-2000s, communities on sites like Stack Overflow were hosting informal contests, such as a 2008 challenge to convert numbers to words in minimal bytes, encouraging clever abuses of JavaScript's loose typing and operator overloading.[2] These activities not only promoted creative problem-solving but also explored the language's underutilized features, like implicit conversions between primitives, laying groundwork for denser encodings. Hasegawa's own background in vulnerability research, including work on browser exploits, further contextualized jjencode as a tool bridging recreational coding with practical evasion techniques.[3]
jjencode drew conceptual inspiration from Brainfuck, an esoteric programming language invented in 1993 by Urban Müller to challenge programmers with extreme constraints. Brainfuck employs only eight symbols (+ - < > . , [ ]) for Turing-complete operations on an array-based memory model, emphasizing minimalism and the intellectual puzzle of implementation over practicality. This paradigm of reducing a full language to a tiny character set influenced JavaScript tinkerers to adapt similar ideas, translating Brainfuck's tape-manipulation logic into JS equivalents via arrays and loops while amplifying the obfuscatory potential through the host language's dynamic nature. Such esoteric roots underscored the shift from mere shortening to symbolic purity in JS obfuscation. These precursors in minimalistic encoding evolved into JSFuck through subsequent online competitions that pushed character limits even further.
Key Milestones and Creators
The development of JSFuck traces its origins to an informal competition held in January 2010 on the obfuscation forum of sla.ckers.org, where participants challenged each other to minimize the character set required to execute arbitrary JavaScript code in web browsers. Initially starting with sets of eight or more characters, contributors like sirdarckcat and thornmaker proposed proofs-of-concept using eight characters such as +![],()/, but .mario quickly advanced the effort by reducing it to seven characters (()[]!+,) and then, on January 10, to the definitive six: !+.[4] This breakthrough demonstrated that fully functional JavaScript could be constructed using only these operators and delimiters, leveraging type coercion and array manipulations to generate numbers, booleans, and strings without alphanumeric characters. By the end of 2010, Yosuke Hasegawa released an encoder named JSF*ck that used the same six characters to convert arbitrary JavaScript code. Building on these obfuscation techniques, Martin Kleppe formalized and popularized JSFuck in August 2012 through his open-source GitHub project, which provided a comprehensive encoder and decoder for converting standard JavaScript into the six-character format.[5] Kleppe simultaneously launched JSFuck.com, an interactive tool that became the canonical implementation, enabling users to experiment with and generate JSFuck code directly in browsers.[6] This project transformed the competition's experimental ideas into an accessible, educational resource, emphasizing JSFuck's role as an esoteric subset of JavaScript designed for code golfing and demonstrating the language's quirky evaluation behaviors.[7] From its inception, JSFuck was intended as an educational tool to highlight JavaScript's atomic building blocks—such as implicit conversions and constructor properties—while creating a minimal, Turing-complete dialect executable in standard browser environments without external dependencies.[6] Its name draws inspiration from Brainfuck, reflecting a similar focus on constrained, minimalist programming paradigms.[5]Fundamentals
Core Characters and Syntax
JSFuck restricts its source code to six characters—(, ), [, ], +, and !—selected for their ability to form fundamental JavaScript syntactic structures without requiring additional symbols.[6] This minimal set emerged from efforts to distill JavaScript to its essential expressive components, enabling the generation of any valid code through type coercions and operator interactions.[8]
The square brackets [ ] delimit array literals, with [] evaluating to an empty array object, a basic primitive in JavaScript.[6] Parentheses ( ) provide grouping for subexpressions or serve as delimiters for function invocations and constructor calls, ensuring proper evaluation order.[8] The plus sign + functions as a binary operator for numeric addition or string concatenation, and as a unary prefix to coerce its operand to a primitive number value.[6]
The exclamation mark ! acts as the unary logical NOT operator, first converting its operand to a boolean via the ToBoolean abstract operation and then inverting the result.[8] For instance, ![] yields false since the empty array [] is truthy under JavaScript's coercion rules, and negating it produces the boolean false; double negation !![] thus returns true.[6]
These characters' utility depends on JavaScript's dynamic type system, particularly its implicit coercions—such as converting arrays to strings via the toString method or to numbers via the unary plus—and the defined precedence of operators like ! (highest), unary +, and binary +.[8] Familiarity with these coercion behaviors and precedence rules is prerequisite for parsing JSFuck expressions, as they dictate how seemingly simple sequences resolve to complex values.[6]
Basic Building Blocks
The foundational expressions in JSFuck leverage JavaScript's type coercion rules, particularly the truthy and falsy behaviors of values, to generate primitive values using only the core characters: [, ], (, ), +, and !. An empty array[] is truthy in JavaScript, meaning it evaluates to true in a boolean context, while the logical NOT operator ! inverts this to produce falsy values. These mechanisms form the basis for constructing booleans and other primitives without direct literals.[6]
To generate the boolean false, the expression ![] is used. Here, the empty array [] is coerced to a truthy value, and applying ! negates it to false. This relies on JavaScript's operator precedence, where the unary ! has higher precedence than array creation.[6][9]
The boolean true is derived by double negation: !![]. The first ! yields false as above, and the second ! inverts it back to true, exploiting the same coercion rules. This pattern is efficient and avoids more complex constructions for the primitive.[6]
For undefined, the expression [][[]] accesses an empty array using another empty array as the property key, which does not exist, returning undefined. This demonstrates property access on arrays, where non-existent keys yield the undefined primitive, adhering strictly to the allowed characters without needing additional operators.[6]
Encoding Techniques
Generating Numbers
In JSFuck, the foundational numeric value of 0 is obtained by applying the unary plus operator to an empty array, as+[] coerces the array to the primitive number 0.[5]
The value 1 is derived from the boolean true, which—as established in the basic building blocks—is represented by double negation of the empty array as !![]; applying unary plus then yields +!![], equivalent to 1.[5]
Higher non-negative integers are constructed through repeated addition of 1 to itself; for instance, 2 is expressed as +!![]+!![], 3 as +!![]+!![]+!![], and so on, scaling to any desired positive integer by extending the chain of summations.[5][6]
These methods are inherently limited to non-negative integers, as JSFuck's atomic operations produce only positive whole numbers via addition without mechanisms for negation or decimal fractions in the core numeric generation.[5]
Constructing Strings and Letters
In JSFuck, strings are constructed primarily through type coercion and concatenation of primitive values, leveraging JavaScript's automatic conversions to generate textual content from the limited character set. The foundational string "false" is obtained by coercing the booleanfalse (derived from ![]) to a string via concatenation with an empty array, expressed as ![]+[], which evaluates to the string "false".[10] This base string serves as a primary source for extracting individual letters through array-like indexing, where positions are selected using numeric indices generated from boolean and arithmetic operations.
Letters are isolated by applying numeric indices to these base strings, treating them as character arrays. For instance, the letter "a" is constructed as (![]+[])[+!![]], where !![] evaluates to the boolean true (coerced to the number 1 via the unary + operator), selecting the character at position 1 of "false". Similarly, "s" is derived from the same base string at index 3: (![]+[])[!+[]+!+[]+!+[]], using a sequence of boolean negations and additions to form the index 3.[10] These indices rely on numbers generated through boolean manipulations, as outlined in the generation of numeric values. To expand beyond the limited characters in "false" (f, a, l, s, e), additional base strings are employed, such as "undefined" from [][[]]+[] (accessing an undefined property on an empty array and coercing to string), which provides u, n, d, e, f, i. Another key base is "[object Object]" from {} coerced to string via +[], yielding o, b, j, c, t.[8]
The full alphabet is assembled without redundancy by systematically indexing across these and other derived strings, ensuring each letter (a-z and A-Z) maps to a unique expression in the JSFuck character dictionary. For example, "i" can be obtained from "undefined"[11], while uppercase letters like "O" emerge from indexing "Object"[12] in a constructor-derived string. This approach covers the printable ASCII range (32-126) by combining up to seven base strings—"false", "true" (from !![]+[]), "undefined", "NaN" (from +[![]]), "Infinity", "[object Object]", and function-specific outputs like "constructor"—with precise indexing to avoid overlap and minimize length. The resulting mappings form a comprehensive lookup table used in JSFuck encoders to build arbitrary strings through repeated concatenation, such as forming "lun" as (![]+[])[!+[]+!+[]]+([][[]]+[])[+[]]+([][[]]+[])[+!+[]].[10][8]
Advanced Constructs and Functions
In JSFuck, advanced constructs enable the creation of dynamic, executable elements such as functions and objects by leveraging the Function constructor, which is accessed through array prototype methods. The core technique involves obtaining the Function constructor via the expression []["filter"]["constructor"], where the strings "filter" and "constructor" are formed using prior string encoding methods. This constructor allows the generation of new functions from encoded string representations of JavaScript code, facilitating code execution without direct use of eval.[5][13] To create an empty object, the Function constructor is invoked with a string that returns a literal object: []["filter"]["constructor"]("return {}")(). This approach circumvents the inability to use curly braces directly, as JSFuck restricts itself to the six characters. Similarly, other objects like regular expressions can be instantiated, for example, []["filter"]["constructor"]("return RegExp")()("pattern", "g"), demonstrating how the constructor serves as a gateway for object creation.[5] Method chaining in JSFuck extends these capabilities by composing operations on arrays and their prototypes. For instance, to invoke the alert function with an argument, an encoded string is passed to the constructor in a chained manner: []["filter"]["constructor"]("return alert")()("hello"). Here, the constructor first returns the alert function, which is then immediately called with the encoded "hello" string as its argument. This chaining pattern relies on JavaScript's flexible property access and function invocation, allowing complex behaviors like pop-up generation without explicit literals.[13] Array methods such as filter and reduce play a pivotal role in accessing constructors and performing accumulative operations. The filter method provides entry to the Function constructor, as noted, while reduce enables iterative construction of values or functions; for example, arrays can be reduced over encoded elements to build method calls or evaluate expressions dynamically. These methods, accessed via bracket notation with encoded property names (e.g., []["reduce"]), support the creation of higher-order functions and object manipulations essential for full program encoding. Strings for argument passing, built from earlier techniques, integrate seamlessly into these chains to parameterize calls.[5]Practical Examples
Simple Value Creations
JSFuck enables the creation of basic values like numbers and strings through clever exploitation of JavaScript's type coercion and operator precedence, relying solely on the six core characters. For instance, the number 1 is generated as+!+[], where !+[] evaluates to the boolean true (since +[] is 0, negated to true), and the unary + converts it to the integer 1.[6]
To encode the number 42, a chain of additions builds upon this foundation by summing 42 instances of 1, resulting in an expression like +!+[]+!+[]+... repeated 42 times (with parentheses for grouping if needed to ensure proper evaluation). This step-by-step accumulation demonstrates the technique's reliance on repeated binary + operations for arithmetic progression, starting from the atomic value of 1. While efficient for small numbers, scaling to larger values exponentially increases length due to the need for multiple additions.[14]
Strings in JSFuck are constructed by accessing characters from predefined strings derived from basic objects, such as "false" from ![]+[] or "true" from !![]+[]. For example, to encode the string "lead" using only basic primitives, individual letters are extracted and concatenated: 'l' as ("false")[2], 'e' as ("true")[3], 'a' as ("false")[1], and 'd' as ("undefined")[2] (from [][[]]+[]). The full string is thus (![]+[])[+!+[]+!+[]]+(!![]+[])[+!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+([][[]]+[])[+!+[]+!+[]], leveraging array indexing with numeric values like 1 (+!+[]), 2 (+!+[]+!+[]), and 3 (+!+[]+!+[]+!+[]). Note that not all letters can be obtained from these basic strings; characters like 'h' and 'o' require more advanced constructs, such as using toString methods on numbers in different bases.[6]
Verification of these encodings can be performed directly in a browser's developer console by pasting the JSFuck expression and pressing Enter; for example, entering the 42 encoding should output the number 42, confirming correct evaluation without errors. Similarly, the "lead" string will display as expected when evaluated.[6]
A common pitfall in manual JSFuck value creation is the trade-off between code length and readability: while encodings for simple values like 42 or "lead" are feasible, their verbosity (often hundreds of characters) makes them impractical for human inspection, emphasizing obfuscation over maintainability. Automated tools, such as those on the official JSFuck site, mitigate this by generating optimized versions, but hand-crafted ones require careful attention to operator precedence to avoid unintended coercions.[5]
Full Program Encodings
One prominent example of a full JSFuck program is the "Hello World" implementation, which executesalert("Hello World!") to display a popup message. This program relies on the Function constructor to dynamically create and invoke a function from an encoded string literal, structured as Function(encoded_string)(). The encoded string itself is a concatenation of individual character encodings derived from primitive values such as false (![]), true (!![]), undefined ([][[]]), NaN (+[![]]), and array indexing to extract letters from these primitives' string representations (e.g., "false" yields "f", "a", etc.).[8]
The original JSFuck encoder generates a complete encoding exceeding 22,000 characters for this program, reflecting the verbose nature of building each of the 21 characters in alert("Hello World!") plus surrounding syntax through repeated array accesses and concatenations.[15] Subsequent optimizations in tools like JScrewIt leverage browser-specific features, such as btoa for base64 encoding or Array.prototype.at for indexing, reducing the length to approximately 5,900 characters in compatible environments like Firefox while maintaining Turing-complete expressiveness. The execution flow begins with constructing boolean and numeric primitives, progresses to letter extraction via string coercion and indexing, assembles the full command string through additive concatenation, and culminates in the Function invocation, which evaluates the payload in the current scope.[15]
A simpler full program is the encoding of alert("JSFuck")(), which alerts the phrase "JSFuck" and serves as a self-referential demonstration. This uses the same Function constructor approach but requires fewer concatenations due to the shorter 6-character payload string, resulting in a length of around 1,756 characters in baseline implementations. The structure mirrors the Hello World example: primitives are generated first, followed by sequential building of "a", "l", "e", "r", "t", "(", ""JSFuck"", ")", and the trailing (), with the alert function accessed via the global object through encoded property chains.[6]
Tools for generating these full encodings include online converters such as the JSFuck demonstrator and JScrewIt, which automate the primitive-to-character mappings and optimization passes without requiring manual construction.[6][16]
Reference Materials
Character Encoding Table
The character encoding table provides a reference for basic JSFuck expressions to generate key printable ASCII characters from standard JavaScript primitives such as "false", "true", "undefined", and "NaN". These use only the six allowed characters[]()!+ and evaluate to the target character. Lengths are the number of characters in the expression. The table focuses on core letters and digits; more complex characters (e.g., missing letters like 'b', 'c', 'o', or uppercase A-Z, punctuation) require advanced techniques such as generating "[object Object]" via constructed objects or toString base conversions, often 20-50+ characters long. Full mappings and optimizations are in the original implementation.[5]
| Character | JSFuck Expression | Length | Base String Used |
|---|---|---|---|
| a | (![]+[])[+!+[]] | 14 | "false" |
| d | ([][[]]+[])[!+[]+!+[]] | 19 | "undefined" |
| e | (![]+[])[+!+[]+!+[]+!+[]+!+[]] | 24 | "false" |
| f | (![]+[])[+[]] | 12 | "false" |
| i | ([][[]]+[])[+!+[]+!+[]+!+[]] | 26 | "undefined" |
| l | (![]+[])[+!+[]+!+[]] | 18 | "false" |
| n | ([][[]]+[])[+!+[]] | 16 | "undefined" |
| r | (!![]+[])[+!+[]] | 15 | "true" |
| s | (![]+[])[+!+[]+!+[]+!+[]] | 22 | "false" |
| t | (!![]+[])[+[]] | 12 | "true" |
| u | (!![]+[])[+!+[]+!+[]] | 17 | "true" |
| N | (+[![]]+[])[+[]] | 14 | "NaN" |
| 0 | +[] | 3 | Number 0 |
| 1 | +!+[] | 5 | Number 1 |
| 2 | !+[]+!+[] | 9 | Number 2 |
| 3 | !+[]+!+[]+!+[] | 13 | Number 3 |
| 4 | !+[]+!+[]+!+[]+!+[] | 17 | Number 4 |
| 5 | !+[]+!+[]+!+[]+!+[]+!+[] | 21 | Number 5 |
| 6 | !+[]+!+[]+!+[]+!+[]+!+[]+!+[] | 25 | Number 6 |
| 7 | !+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[] | 29 | Number 7 |
| 8 | !+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[] | 33 | Number 8 |
| 9 | !+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[] | 37 | Number 9 |
toString or object representations, resulting in longer strings. Post-2012 optimizations in projects like JScrewIt have shortened some expressions using engine-specific features, such as flat() or Date(), e.g., reducing 'C' from ~47 to under 30 characters in compatible browsers (as of 2014).[5][17][16]
Common Patterns and Shortcuts
In JSFuck, caching frequently used values liketrue (!![]) and false (![]) avoids redundant constructions in longer encodings. These can be reused in expressions to minimize repetition, especially in complex builds.
Accessing the constructor property without direct strings involves generating property names (e.g., "filter") via character encodings, then using bracket notation on array prototypes, such as []['generated_filter_string']['generated_constructor_string'], to retrieve the Function constructor. This leverages shared prototype methods.[5]
Post-2012 developments introduced shorter variants using array methods like reduce and apply (with generated names) for multi-argument calls and chaining, enabling concise iterative builds and reducing code length over nested operations.[5]
Golfing tips emphasize minimizing length through atomic reuse and method optimizations for challenges. Prioritize repeated 1-additions for integers, base conversions like toString with generated bases (e.g., 36 for letters), and exponential constructs for large values like Infinity, referencing the encoding table for bases. Always ensure compatibility with JS engines.[5]
Applications and Implications
Educational and Esoteric Value
JSFuck serves as a valuable educational tool for illustrating JavaScript's type coercion mechanisms, where values are implicitly converted between types during operations, such as transforming arrays and booleans into strings via concatenation and indexing.[8] By constructing complex expressions solely from the characters[]()!+, it highlights operator overloading, particularly how the + operator handles both arithmetic and string concatenation based on operand types, and how [] enables array indexing to extract specific values.[18] This minimalistic approach fosters an understanding of JavaScript's atomic building blocks, encouraging learners to explore creative problem-solving without relying on conventional syntax.[6]
In the esoteric programming community, JSFuck is recognized as a Turing-complete subset of JavaScript, akin to Brainfuck in its emphasis on extreme minimalism but distinct in leveraging language-specific quirks like type coercion rather than a tape-based model.[8] Documented on esolangs.org, it exemplifies the community's interest in constrained languages that challenge programmers to encode functionality innovatively, with demonstrations including a 17,710-byte interpreter for a 3-cell Brainfuck variant to affirm its completeness.[8] Such efforts underscore JSFuck's role in esoteric circles as a bridge between practical scripting and theoretical computation limits.
As of 2025, JSFuck continues to inform teaching resources and puzzles that raise awareness of JavaScript's quirks, such as unexpected coercion behaviors that can lead to subtle bugs in production code.[19] Online encoders and interactive tools, like those on jsfuck.com, enable educators to demonstrate full program constructions, turning the encoding process into engaging challenges that reveal the language's under-the-hood logic.[6] These applications promote deeper comprehension of JavaScript internals, aiding developers in writing more robust code by anticipating coercion pitfalls.[13]
Security and Malicious Uses
JSFuck's use of only six innocuous characters—[, ], (, ), +, and !—enables attackers to craft arbitrary JavaScript payloads that evade content security policies and input sanitization mechanisms designed to block executable code. By leveraging JavaScript's type coercion and array manipulation, these "safe" characters can generate alphanumeric strings and execute functions without triggering keyword-based filters that target common malicious patterns like (XSS) attacks to inject code into web forms, comments, or descriptions where alphanumeric input is restricted or monitored.[20] A notable real-world incident occurred in 2016, when attackers exploited an XSS vulnerability on eBay's platform using JSFuck obfuscation to embed malicious code in auction item descriptions. Discovered by Check Point researchers, the flaw allowed remote JavaScript execution via permitted characters, bypassing eBay's validation filters and enabling phishing prompts or malware downloads disguised as legitimate apps, such as "discount tools" for buyers. Although eBay reported fewer than two malicious listings per million and implemented partial mitigations, the attack highlighted JSFuck's potential for widespread credential theft and malware distribution on high-traffic e-commerce sites, affecting both web and mobile users.[21][20] In the 2020s, JSFuck has featured prominently in large-scale campaigns like JSFireTruck, detected by Palo Alto Networks Unit 42 in 2025, where obfuscated injections compromised over 269,000 legitimate websites in a single month. These payloads, often appended to benign files, redirected users from search engine results to malware-hosting domains via hidden iframes, facilitating malvertising and drive-by downloads while evading static analysis. Detection remains challenging due to the technique's repetitive, non-semantic structure, which defeats signature-based web application firewalls (WAFs) reliant on pattern matching for known exploits; behavioral analysis and deobfuscation tools are required to unpack the coerced code, but they increase computational overhead. Mitigations include advanced WAF rules that flag anomalous character repetition or runtime execution monitoring, as well as client-side protections like content security policies (CSP) to restrict inline script evaluation.[22] Derivatives such as JScrew.it, introduced in 2015, extend JSFuck by optimizing encodings for brevity using the same six characters, resulting in shorter payloads that further complicate detection by reducing visual and pattern-based anomalies. This evolution heightens evasion potential in modern attacks, as concise obfuscation blends more seamlessly into legitimate traffic, demanding ongoing updates to security heuristics.[23]References
- Yosuke HASEGAWA. Engineer of NetAgent Co., Ltd. R&D department. Engineering ... JavaScript obfuscator "jjencode" and "aaencode". http://utf-8.jp/. In the ...
- JSFuck is an esoteric and educational programming style based on the atomic parts of JavaScript. It uses only six different characters to write and execute code ...