Cross browser javascript sandbox

Friday, 3 April 2009

I think I’ve managed to create a good sandboxing system using same origin policy. The only downside is that it uses new windows to prevent top.location assignments. It works by injecting code into another domain (sandbox.businessinfo.co.uk) and executing the code in the context of that domain and returning the result of the code in the location.hash and returning it to the original domain.

As SOP is used the sandbox shouldn’t be able to be bypassed without a browser exploit, sure you could change the window reference but the result would always be a string. The domain sandbox.businessinfo.co.uk is vulnerable though as it allows you to execute code, maybe using referrer checking this could be minimized which I may add in future.

So the question is can you beat it? By injecting code in the sandbox that will control the parent. For example it was vulnerable to modifying the parent location by passing “top.location=1” this has now been closed.

Update…

I found and fixed an exploit myself. Using opener.location=1, it was possible to control the parent location. I’ve closed this by removing the opener from the sandbox.

Demo here

The entry 'Cross browser javascript sandbox' was posted on April 3rd, 2009 at 2:56 pm and last modified on April 3rd, 2009 at 3:39 pm, and is filed under javascript, Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

5 Responses to “Cross browser javascript sandbox”

  1. thornmaker writes:
    No. 1 — April 6th, 2009 at 2:56 am

    spent some time playing with this tonight with SDC. no breakouts so far. amazing how simple the code is

  2. Gareth Heyes writes:
    No. 2 — April 6th, 2009 at 7:02 am

    Cool thanks, let me know if you find one 🙂 Simple is always better

  3. Gareth Heyes writes:
    No. 3 — April 6th, 2009 at 8:45 am

    I’ve improved the sandbox by checking referrers, this should remove the need for a site vulnerable to XSS.

    This won’t be allowed:-
    http://sandbox.businessinfo.co.uk/labs/sandbox/sandbox.php#alert(1)

    But the sandbox will still work when originating from the correct site.

  4. Gareth Heyes writes:
    No. 4 — July 27th, 2009 at 10:30 pm

    Do not use this sandbox, the concept is broken. I’ve created a new sandbox based on RegExps, use this instead:-

    http://www.businessinfo.co.uk/labs/jsreg/jsreg.html

  5. Elijah Grey writes:
    No. 5 — September 6th, 2009 at 11:15 pm

    I have created a JavaScript sandboxing library that uses web worker threads. It’s called JSandbox.

«
»