Published 13 years 8 months ago • Last updated April 14, 2025 • ⏱️ < 1 min read
I was asked for a "real" exploit on Caja by one of the devs after my previous post. I opened up my custom caja hacker inspector and inspected the window or fake window. I began looking through each object/function and noticed the setTimeout code. I wondered if they made the same mistake as me and checked the argument for a string. They did :O. The interesting thing about JavaScript objects is that sometimes an object is really a string like when you use an array on a function that can accept a string value because it's automatically converted. The exploit is dead simple and instead of passing a string to setTimeout I pass an array pretty much like the one that pwnd JSReg by Soroush Dalili. We can now execute any JavaScript and bypass the sandbox because the sandboxed setTimeout function specifically checks for a string type but forgets the array literal.
<script> setTimeout(['alert(location)']);//alerts the current location bypassing the sandbox </script>
This works on Caja Rev 5047 built on 2012-09-13 15:28:30. I have now pwnd every JavaScript sandbox. Achievement unlocked.