'[WEB SECURITY] Re: JSReg now on acid'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       websecurity
Subject:    [WEB SECURITY] Re: JSReg now on acid
From:       gaz Heyes <gazheyes () gmail ! com>
Date:       2010-03-25 12:15:31
Message-ID: 252dd75b1003250515m174a3ef1pfdfc979025483a4c () mail ! gmail ! com
[Download RAW message or body]

Mario Heiderich just couldn't leave my challenge alone, what is it with you
Germans and contests, you always have to win don't you?
Anyway he got very close to breaking the sandbox. He found that I allowed
valueOf or toString as a property so his vector:-
('',[].valueOf)()  Returned window. Although the window object is returned
it is quite difficult to exploit because you need to execute code somehow
and break out of the iframe to the parent or find a way to disable JSReg
(see stefano's vectors). So I patched this by sandboxing valueOf and
toString which are extremely dangerous anyway so it's a good thing.

Not satisfied with getting window Mario decided to throw some regex from
hell at me:-
/[/*]*//1*alert(1)//[^/*]*/

My first reaction was thanks. WTF.Then Ok lets write a regexp.WTF how do I
do that.... Then finally:-
*\\[(?:\\\\[\\]]|[^\\]])+\\]*

regexpObj = new
RegExp("(?:[\\/](?:\\[(?:\\\\[\\]]|[^\\]])+\\]|\\\\[\\/]|[^\\/*])(?:\\[(?:\\\\[\\]]|[^\\]])+|\\\\[\\/]|[^\\/])*?[\\/](?:[gmi]*))")


Because I have to handle /[/\]][[[[[[[[[[[[[[[[[[[[]/ like what he threw at
me on IM.

Finally I have to say thanks to Mario for some awesome stuff. You came close
but I beat you on penalties, you only win the penalty shoot-out by alerting
window.location so the English win this round for now. Your move.


[Attachment #3 (text/html)]

Mario Heiderich just couldn&#39;t leave my challenge alone, what is it with you \
Germans and contests, you always have to win don&#39;t you? <br>Anyway he got very \
close to breaking the sandbox. He found that I allowed valueOf or toString as a \
property so his vector:-<br> (&#39;&#39;,[].valueOf)()   Returned window. Although \
the window object is returned it is quite difficult to exploit because you need to \
execute code somehow and break out of the iframe to the parent or find a way to \
disable JSReg (see stefano&#39;s vectors). So I patched this by sandboxing valueOf \
and toString which are extremely dangerous anyway so it&#39;s a good thing.<br> \
<br>Not satisfied with getting window Mario decided to throw some regex from hell at \
me:-<br>/[/*]*//1*alert(1)//[^/*]*/<br><br>My first reaction was thanks. WTF.Then Ok \
lets write a regexp.WTF how do I do that.... Then finally:-<br> \
<b>\\[(?:\\\\[\\]]|[^\\]])+\\]</b><br><br>regexpObj = new \
RegExp(&quot;(?:[\\/](?:\\[(?:\\\\[\\]]|[^\\]])+\\]|\\\\[\\/]|[^\\/*])(?:\\[(?:\\\\[\\]]|[^\\]])+|\\\\[\\/]|[^\\/])*?[\\/](?:[gmi]*))&quot;)<br><br>Because \
I have to handle /[/\]][[[[[[[[[[[[[[[[[[[[]/ like what he threw at me on IM.<br> \
<br>Finally I have to say thanks to Mario for some awesome stuff. You came close but \
I beat you on penalties, you only win the penalty shoot-out by alerting \
window.location so the English win this round for now. Your move. <br> <font \
style="font-family: courier new,monospace;" size="4"><span style="color: rgb(0, 0, \
0);"></span></font>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic