JSReg bypasses

I set a cool Hackvertor challenge on slackers. The idea was to call the function defined in window. There is a perfectly legitimate way of doing this as I discovered the method when I was testing it, instead of fixing it I created the challenge. Stefano Di Paola of course figured it out, nice work 🙂 however something happened that I wasn’t expecting, Soroush Dalili solved the challenge by breaking the sandbox instead! Not just once may I add but twice. This was really awesome on a number of levels and so I awarded him 2000 HV points. I was impressed.

Bypass 1 – RegEx rewrite error

b=1/alert('Soroush Dalili Bypass! \n'+window.document.location);alert(window.parent.execTag())

So here Soroush cleverly exploits two errors in JSReg, first is the failure to strip the single line comment which then fools the regex rule into thinking that the code is a regex object and not function calls. The patch for this is displayed here I change the regex not to work in multi-line mode which successfully removes the single line comment. It isn’t an ideal fix as the regex rule still shouldn’t have matched it as a regex object but it will work in the short term until I revise the regex code.

Bypass 2 – eval object type hack


Another clever trick, the string is placed inside of an array and when the eval function is called it used to check the object type if it was a string then it rewrote the code if not it was assumed to be a already rewritten string however I didn’t expect an array to be used in this context so this would effectively bypass the sandbox. The fix for this one was to check specifically for a function object or rewrite the string.

I challenged many security researchers to break this sandbox and only a few have succeeded, I admire their skill and dedication. I would like to thank Soroush Dalili for taking the time to break JSReg and show some obvious excellent js sandbox skills.

Comments are closed :( too much spam. If you want to contact me about any article please email or tweet me.