Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: Previous1234567891011...LastNext
Current Page: 2 of 13
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 19, 2009 05:08PM

@kangax

Cool thanks and fixed!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: thornmaker
Date: July 19, 2009 09:44PM

x=1?'foo':'bar';alert(x) does not alert the same thing as x='foo';alert(x);

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: sirdarckcat
Date: July 20, 2009 12:38AM

hmmm if I had to guess, I would say that's the Object Literals notation..

I can't find it but I would guess is between these:

numbers = new RegExp('(?:[0]|[1-9]\\d+)?(?:[.]?\\d+)+(?:[eE][+-]?\\d+)?'+spaces.source+'[:]?'),

and these:

strings = new RegExp(spaces.source+"(?:(?:['](?:\\\\[']|\\\\[\\r\\n]|[^'])*['])|(?:[\"](?:\\\\[\"]|\\\\[\\r\\n]|[^\"])*[\"]))"+spaces.source+'[:]?'),

for the [:]? and then here:
Quote

if (/[:]$/.test($strings)) {

$strings = $strings.slice(0,-1);

$strings = $strings.replace(/^\s+|\s+$/g,'');

$strings = $strings.split("");

$strings[1] = '$' + $strings[1];

$strings[$strings.length-1] = '$' + $strings[$strings.length-1];

return $strings.join("") + ':';

} else {

return 'globals.string(' + $strings + ')';

}
so effectively all strings followed by a : will be transformed to $asdf$..

I think a specific notation for object literals would be good, levering on the advantage of the tabulation toString(1) gives.

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 20, 2009 02:45AM

@thornmaker

Oh yeah doh! I forgot about ternarys thanks

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 20, 2009 05:55AM

@thornmaker

Thanks! And....Fixed! :)
new RegExp('(?:'+operators.source+'|[(])'+spaces.source+'[{,]'+spaces.source+'(?:'+strings.source+'|'+numbers.source+')'+spaces.source+'[:]'

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: kangax
Date: July 20, 2009 09:55AM

Not sure if I can keep finding bugs much longer :)

({ 1: /foo/ })[1];

expected: /foo/
actual: /$foo$/

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 20, 2009 01:12PM

@kangax

Fixed thanks!

Hopefully that's because JSReg is getting better not that you're bored :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: kangax
Date: July 20, 2009 02:37PM

({ 1: [1,2,3] })[1][1];

expected: 2
actual: undefined

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: kangax
Date: July 20, 2009 02:39PM

Also, evaling non-string values should return them intact, IIRC.

eval(1); // TypeError (apparently trying to call String#replace on `1`)

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 20, 2009 05:23PM

@kangax

Really good ones thanks! The eval(1) one is nice! I forgot to force the eval input into a string. All fixed

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: sirdarckcat
Date: July 20, 2009 11:45PM

I was very excited when I saw this working..
a<--
lert(1)

but then I saw it only works on JSReg =(

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: sirdarckcat
Date: July 20, 2009 11:50PM

wait, nvm.. it doesnt work.. weird

my PoC is this:

if(1)a<!--
lert(1)
-->

hehe :)

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: sirdarckcat
Date: July 21, 2009 12:01AM

also, finally is not detected

try{}finally{}

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: kangax
Date: July 21, 2009 12:06AM

Let's try to squeeze some more out of it

eval({}); // ReferenceError
eval(function(){}); // SyntaxError
({ 1: [1,{1:1},3] })[1][1][1]; // SyntaxError
RegExp++; // SyntaxError
[(function(){ return [1,{x:1},3] })()][1].x; // TypeError

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: sirdarckcat
Date: July 21, 2009 12:07AM

this raises an exception and its not passing the limit
for(var i=0;i<20;i++)
alert(i)

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: kangax
Date: July 21, 2009 12:09AM

Whoops, the last one should of course be:

[(function(){ return [1,{x:1},3] })()][0][1].x; // TypeError

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: kangax
Date: July 21, 2009 12:13AM

Also,

Array; // TypeError
1 instanceof Number; // SyntaxError

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: sirdarckcat
Date: July 21, 2009 12:48AM

also, gareth.. how can I make multiple instances of a script to be able to interact with each other

for example..
x=1

and then
alert(x)

to alert(1)

apparently there's no "saved" state between function calls.

is there any way to do this?

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 07/21/2009 02:30AM by sirdarckcat.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: sirdarckcat
Date: July 21, 2009 02:27AM

its not working on Opera?

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 21, 2009 02:41AM

@sirdarckcat @kangax

Awesome stuff :)

@sirdarckcat

If you reuse the same parser you should have all variables previously entered.
var parser = JSReg();
parser.eval('x=1;');
parser.eval('alert(x)'); //should work

I'm still working on the window object when it's done you should also be able to extract that. There are two functions which allow you to set the window and document object within JSReg setWindow and setDocument. Here is a code sample of how it works in Hackvertor:-

var parser = JSReg();
				var html = '';
				if (window.__defineSetter__) {
					var htmlLog = function(str) {
						html += str;
					}
					var obj = {					
						$write$:htmlLog,
						$body$:htmlLog 						
					}					
					obj.$body$.__defineSetter__('$innerHTML$',htmlLog);
					obj.__defineSetter__('$innerHTML$',htmlLog);
					parser.setDocument(obj);
				}
				try {				
					parser.runCheck();
					var result = parser.eval(code);
				} 
				catch (e) {			
					alert(e.description||e);
				}
				if(html != '') {
					result += '\nHTML:'+html;
				}
				return result;

So the code above simply watches document.body.innerHTML and document.write etc and returns the value assigned

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: sirdarckcat
Date: July 21, 2009 04:03AM

this doesnt work from firebug:
var parser = JSReg();
parser.eval('x=1;');
parser.eval('alert(x)'); //should work

I think because of the anti-global-escaping check haha.

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 21, 2009 11:24AM

Ok lots of fixes

Quote

1 instanceof Number;

Fixed but I need to make the correct Number object. I'm going to remove globals.number with Number instead.

Quote

ar z={'a':1,'b':2};

Quote

var z={a:1,b:2};

fixed. Improved the object ident regexp

Quote

its not working on Opera?

Works now :)

Quote

Array; // TypeError

Fixed

Quote

[(function(){ return [1,{x:1},3] })()][0][1].x; // TypeError

This one was tough but I've fixed it :)

Quote

eval({}); // ReferenceError
eval(function(){}); // SyntaxError
({ 1: [1,{1:1},3] })[1][1][1]; // SyntaxError
RegExp++; // SyntaxError

All fixed. Eval now accounts for type

Quote

try{}finally{}

Fixed. Added finally to the statement regexp

Quote

for(var i=0;i<20;i++)
alert(i)

This wasn't actually an error but JSReg currently contains a low limit of Function calls and loops while testing. Now you get a confirm box to continue the loop if you like.

Quote

if(1)a<!--
lert(1)
-->

Very nice! And fixed :)

Quote

also, gareth.. how can I make multiple instances of a script to be able to interact with each other

This is todo yet

Once again thanks everyone! You guys rock

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: sirdarckcat
Date: July 21, 2009 09:15PM

Weird error
([1,2]) ==> ([globals.gp(Number(1),Number(2))])

And the labels are set wrong.

for example:
asdf:for(;;){for(;;)break asdf;}alert(1);

is:

$asdf$:;var loop0=0;while(true)

and should be:

;var loop0=0;$asdf$:while(true)

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: kangax
Date: July 21, 2009 10:27PM

It's becoming pretty hard to find bugs lately : )

({ '': 1 })['']; // undefined
0x50; // SyntaxError
(function(){ return arguments; })(); // undefined
switch('x'){case'x':1}; // SyntaxError (note lack of space after case)

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: sirdarckcat
Date: July 21, 2009 10:41PM

(function(){ return arguments; })(); // undefined

That;s interesting, you can actually implement the argument.callee.caller chain without endangering the sandbox app (that's the main problem with my approach on http://sandbox.sirdarckcat.net/ since I make a lot of crazy hacks to avoid leaking the caller nor the constructor).

Regarding the arguments required with native func:

Array().pop doesnt receive any args

Also, related to the last report:

(['aa','bb']).pop(1)

returns $aa$

This
1..toString()

toString should be respected at some point imho.

Btw gareth, I think you should change this:
var Number = window.Number;

for this:

var Number=function(){}
Number.prototype=window.Number;

this way you can change Number without modifying window.Number and 1 is still instance of your Number.

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 22, 2009 05:19PM

@sirdarckcat @kangax

Thanks again!

Quote

([1,2]) ==> ([globals.gp(Number(1),Number(2))])

Fixed. This is a protection mechanism to stop assignments to __parent__ or something evil. I fixed the Array detection

Quote

({ '': 1 })['']; // undefined
0x50; // SyntaxError
switch('x'){case'x':1}; // SyntaxError (note lack of space after case)

All fixed! Nice ones! I completely forgot about hex for numbers, I've added a new regexp to detect those.

Quote

(function(){ return arguments; })(); // undefined
1..toString()

These are unsupported at the moment. I plan to create the arguments object and allow it once I've locked it down. toString will be callable in future but not settable as a function. At least that's what I think at the moment.

Quote

var Number=function(){}
Number.prototype=window.Number;

There is logic to my madness :) Number(1) produces a typeof == number. Using a prototype does not. So this would break typeof for numbers :( unless you know of a better way of course.

Here is a interesting bug in JSReg which is also related to the prototypes. If you do [1] it creates a blank array without a number. This is because it thinks it is defining the length. But I'd have thought that calling the constructor without the new prefix would result in the same behaviour as []. Anyone any ideas on this?

Quote

asdf:for(;;){for(;;)break asdf;}alert(1);

Good catch! I didn't have time to fix this and I'm off to bed now so maybe tomorrow night

@sirdarckcat

I've added a new feature to JSReg which will allow you to change the value of this and therefore support javascript events easier. The eval method has another argument which specifies the object for this. Here is a code sample of how it works:-

var obj = {};
parser.eval('this.x=123', obj);
alert(obj.x);//123 :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 07/22/2009 05:24PM by Gareth Heyes.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: sirdarckcat
Date: July 22, 2009 11:30PM

thanks gareth!! =D
this works now on the htmlsandbox:

<script>window.m=1;</script>
<script>alert(this.m)</script>
<img src="ni:hao" onerror="alert(this.src)">

haha!! awesomeeeee

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 2 time(s). Last edit at 07/22/2009 11:32PM by sirdarckcat.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 23, 2009 10:54AM

JSReg now protects against "this" attacks:-

([],(new function(){
this.z=function(){
return this;
}
}).z)()

"this" is converted into a special property __this__ which returns $window$ when it leaks like above so we have the same crazy javascript behaviour but with the safe window :) Also JSReg now supports saving of scope between eval calls. So this will now work:-

parser.eval("x=1")
parser.eval("alert(x)"); // alerts 1

If you require a new scope, then simply create a new parser:-
var scope1 = JSReg();
var scope2 = JSReg();

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 24, 2009 06:59AM

Ok JSReg now supports everything!

o={x:1};
(function(){ alert(this.x); }).apply(o,[]);

Let me know if I've missed anything or you can get a exploit

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: kangax
Date: July 24, 2009 10:09AM

How come `undefined` is being coerced to pseudo-window object (when invoking function with call/apply) and `null` isn't?

Options: ReplyQuote
Pages: Previous1234567891011...LastNext
Current Page: 2 of 13


Sorry, only registered users may post in this forum.