JSReg update

Big thanks!

I’ve done lots of updates to JSReg with some fantastic help from kangax, sirdarckcat, Thornmaker and mario.

Mario found some cool parsing bugs, sirdarckcat helped with some exploits that assigned to window 🙂 and also provided some awesome code ideas and bugs. Thornmaker found ternarys cause problems with my object detection. I’d also like to thank Achim who helped me find a recursive regexp when he tested it on other browsers. Finally kangax’s input has been great providing me with some headaches trying to match RegExps that look like comments and many other parsing bugs. Thanks a lot guys! You’ve been awesome!

A lot has changed since my last post, it’s getting closer and closer to be used in real world applications and my new version of Hackvertor 🙂 I didn’t expect to be able to parse as much code as it currently does and manage to keep the RegExps small. I try to match as little as possible as Javascript is a complex language.

How it works

In case you don’t know, JSReg is a Javascript sandbox with a difference. It uses Javascript itself to safely parse the code using regular expressions. This means that some features are removed from the Javascript language while in the sandbox, examples of these are access to the DOM like document.body etc. and Object methods like valueOf and toString. The goal is to produce safe Javascript from a untrusted source.

To see how it works check the following example:-

a='a';eval(\u0061+'\x6c\x65\x72\x74\x28\u0034\x32\u0029');

The code assigns the letter “a” to a variable of “a”. Then the eval function is used with a unicode escape which translates to the variable “a” then it’s concatenated with various escapes to produce alert(42).

Here is the JSReg’d version:-

var $a$,$eval$;
$a$=globals.string('a');$eval$($a$+globals.string('\x6c\x65\x72\x74\x28\u0034\x32\u0029'));

So the rewriter identifies dangerous strings and converts them into safe strings. In this instance eval is renamed $eval$ which is a custom JSReg function that translates the content sent to it. All variables used are declared at the top which prevents them being assigned to the global window space. globals.string etc are a special JSReg object which defines a new prototyped version of String etc. to allow you to call whitelisted methods of the object.

Interface

That’s the basic idea of how JSReg works, the interface contains six textareas which shows the result of the JSReg evaluation. The first box is your code input, second is the JSReg conversion of your input, globals.eval contains the result of an eval operation and the code which has been rewritten, globals.function contains a similar output to eval but with Function code when calling new Function, the result returns the evaluated result after the code has been converted and the globals box at the bottom lists any global variables that might have escaped the sandbox.

Future and development

I always thought it was possible to use untrusted Javascript within Javascript itself, many other solutions had other languages as a requirement. I think JSReg is definitely getting there now after many of failed attempts. I plan to integrate sirdarckcat’s HTML parser too in future, to allow safe access to the DOM. Best of all I’m giving away this code, you can use it freely on your web site 🙂 So please get involved! Find a exploit or a parsing error and help produce a native Javascript sandbox which is free for everybody to use.

Try out JSReg