Firefox javascript sandboxing

Friday, 22 February 2008

As a technical challenge and maybe in future to allow Hackvertor to execute javascript code from the user. I decided to create a javascript sandbox.

It works by first running the code through a new Function constructor and tosource, the reason for this is that Firefox actually converts the code supplied e.g. ‘te\st’ becomes ‘test’ etc. Then a private function is created to handle the supplied code, it loops through global objects and assigns each of them as a local variable to remove dangerous functions. Underscores are removed from the code because I found it impossible to secure __parent__ as it cannot be redefined. The global Function is overwritten and the constructor to prevent access to new Function() calls.

Giorgio Maone found some excellent holes in my code which hopefully I’ve fixed now. Giorgio makes the excellent noscript simply the best Firefox extension on the net! Thanks Giorgio 🙂

Update…

Waldo on the slackers forum found some excellent vectors to slip through the sandbox. I’ve updated the script to take into account that there are millions of ways to return to the window object in Javascript. This time I’ve changed the sandbox to nullify the actual window object properties and restore them when the sandbox is run. Big thanks to Waldo for the awesome stuff, more of his sandbox breaking (for Facebook) can be viewed here.

So join in the fun and see if you can execute code:-
Firefox sandbox

Submit any alert executions here

The entry 'Firefox javascript sandboxing' was posted on February 22nd, 2008 at 7:35 pm and last modified on February 25th, 2008 at 11:13 am, and is filed under javascript, Security, xss. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

4 Responses to “Firefox javascript sandboxing”

  1. dmp writes:
    No. 1 — August 23rd, 2009 at 5:21 pm

    Can’t have your tester run.
    It always output “SyntaxError: syntax error” whatever you have it swallow.

    Either way, I’m curious about how you actually prevent access to __parent__ (I don’t think preventing “_” is enough).

  2. Gareth Heyes writes:
    No. 2 — August 23rd, 2009 at 9:39 pm

    @dmp

    Yeah I’ve moved on from this technique. I now use RegExps to rewrite code into a safe form of javascript, it’s still under development but it’s getting pretty good

    http://www.businessinfo.co.uk/labs/jsreg/jsreg.html

  3. dmp writes:
    No. 3 — August 24th, 2009 at 9:09 am

    Thanks Gareth.
    I don’t believe you can achieve anything secure (while still being useful) using regexps. There simply is too many ways to get back at the window.
    Have you looked into Narcissus?

  4. Gareth Heyes writes:
    No. 4 — August 24th, 2009 at 9:38 am

    @dmp

    I won’t say that it is easy but I do think it is possible, the only difficulty I’m having at the moment is the [] syntax. Once I can successfully identify arrays and objects using [] then it should be pretty secure.

    I’ve not looked into Narcissus, I guess you need to run that on the server which is one of the downsides, I wanted a client side base solution.

«
»