Published 16 years 2 months ago • Last updated March 22, 2025 • ⏱️ 2 min read
Over the weekend Stefano Di Paola broke my JSReg sandbox with some awesome vectors in particular the Opera one. He took my challenge after I laid down the gauntlet on the web app sec list. If you have some sandbox you want breaking, some Flash you need testing or general pen test work you should hire this guy he is awesome.
I patched JSReg by removing the prototype, callee, caller from the allowed properties, hopefully this will stop future attacks using this method until I can work out a way to use these safely. Then I got a bunch of great suggestions from Thornmaker and SDC, that made so much sense I reworked the recent Hackvertor code to modify the Object protoype. So now Hackvertor tags can call each other easily using this method for example:-
<pre lang="javascript"> 'abc'.HV('reverse').HV('base64',Array('encode')) </pre>The API is extended further where you can include data and share it across tags, this is super useful when creating a standard list of XSS vectors, Unicode characters, shellcode whatever you like! First the example shows how a tag can be used to return array data. The second example shows how you can use this data within tags.
What's great about this is that the data can also now be used externally, you can embed the sandbox from an external site and use your data. Of course using untrusted tags poses a risk that I'll need to account for but if you only use your own tags it should be pretty safe to use them for fuzzers or other data.
Here is how to embed my version of Hackvertor tags:-
<pre lang="javascript"> <script src="http://hackvertor.co.uk/export?id=1"></script> <script type="text/javascript"> window.onload = function() { parser = JSReg.create(); try { parser.extendObject('$HV$',(function(tags) { return function(tagName, args) { if(!tags.hasOwnProperty(tagName)) { return null; } return tags[tagName].execTag(this,function(output){ return output; },args); } })(window.Hackvertor.tags) ); //EXECUTE YOUR OWN CODE HERE parser.eval("alert('abc'.HV('reverse'))"); } catch (e) { alert(e); } } </script> </pre>At the moment Hackvertor doesn't have all the tags the previous one had yet but why not help out and build a security tool together in the first coding social network.