JSReg bypasses

I set a cool Hackvertor challenge on slackers. The idea was to call the function defined in window. There is a perfectly legitimate way of doing this as I discovered the method when I was testing it, instead of fixing it I created the challenge. Stefano Di Paola of course figured it out, nice work 🙂 however something happened that I wasn’t expecting, Soroush Dalili solved the challenge by breaking the sandbox instead! Not just once may I add but twice. This was really awesome on a number of levels and so I awarded him 2000 HV points. I was impressed.

Bypass 1 – RegEx rewrite error


;
b=1/alert('Soroush Dalili Bypass! \n'+window.document.location);alert(window.parent.execTag())
//


So here Soroush cleverly exploits two errors in JSReg, first is the failure to strip the single line comment which then fools the regex rule into thinking that the code is a regex object and not function calls. The patch for this is displayed here I change the regex not to work in multi-line mode which successfully removes the single line comment. It isn’t an ideal fix as the regex rule still shouldn’t have matched it as a regex object but it will work in the short term until I revise the regex code.

Bypass 2 – eval object type hack


b='x='+String([eval])+';window.parent.execTag();'
y=eval([b]);


Another clever trick, the string is placed inside of an array and when the eval function is called it used to check the object type if it was a string then it rewrote the code if not it was assumed to be a already rewritten string however I didn’t expect an array to be used in this context so this would effectively bypass the sandbox. The fix for this one was to check specifically for a function object or rewrite the string.

I challenged many security researchers to break this sandbox and only a few have succeeded, I admire their skill and dedication. I would like to thank Soroush Dalili for taking the time to break JSReg and show some obvious excellent js sandbox skills.