JSReg bypasses

Back to articles

hackvertor

Author:

Gareth Heyes

@hackvertor

Published 14 years 11 months ago
Published: Sun, 31 Oct 2010 14:54:27 GMT
Updated: Thu, 03 Apr 2025 19:28:42 GMT
Read time: ⏱️ 2 min read

I set a cool Hackvertor challenge on slackers. The idea was to call the function defined in window. There is a perfectly legitimate way of doing this as I discovered the method when I was testing it, instead of fixing it I created the challenge. Stefano Di Paola of course figured it out, nice work :) however something happened that I wasn't expecting, Soroush Dalili solved the challenge by breaking the sandbox instead! Not just once may I add but twice. This was really awesome on a number of levels and so I awarded him 2000 HV points. I was impressed.

Bypass 1 - RegEx rewrite error

; b=1/alert('Soroush Dalili Bypass! \n'+window.document.location);alert(window.parent.execTag()) //

So here Soroush cleverly exploits two errors in JSReg, first is the failure to strip the single line comment which then fools the regex rule into thinking that the code is a regex object and not function calls. The patch for this is displayed here I change the regex not to work in multi-line mode which successfully removes the single line comment. It isn't an ideal fix as the regex rule still shouldn't have matched it as a regex object but it will work in the short term until I revise the regex code.

Bypass 2 - eval object type hack

b='x='+String([eval])+';window.parent.execTag();' y=eval([b]);

Another clever trick, the string is placed inside of an array and when the eval function is called it used to check the object type if it was a string then it rewrote the code if not it was assumed to be a already rewritten string however I didn't expect an array to be used in this context so this would effectively bypass the sandbox. The fix for this one was to check specifically for a function object or rewrite the string.

I challenged many security researchers to break this sandbox and only a few have succeeded, I admire their skill and dedication. I would like to thank Soroush Dalili for taking the time to break JSReg and show some obvious excellent js sandbox skills.

Back to articles