This is an important post for me, not because it’s ground breaking but people don’t seem to get this when using data in certain context. If you are a dev please read this and read it until you understand it because if you misidentify context you fail and you fail pretty badly.
I reported this to [...]
I had fun at Confidence 2.0 CON, I’m gonna blog about the stuff I was holding back now
So I figured how to bypass CSP with UTF-7 and JSON. Basically any site with a JSON feed that can be manipulated by an attacker (reflective or persistent) can be injected with even in a correctly [...]
I discovered a long time ago that the Javascript specification actually encourages the global RegExp object to retain the properties from the last execution of the regular expression parser. This is quite funny and stupid because as we move forward and sites start to share the same Javascript space we will leak information that we [...]
Not posted for a while because I couldn’t think of anything interesting to say but I thought about something I found ages ago in PHP4 and it’s been long enough now. This is also quite funny because my server is vulnerable to this (that’s what I get for crappy hosting).
So what happens if you escape [...]
For some random reason I was making a base999 number compression function, I think it was because someone posted on sla.ckers about base 62. I wanted to see how far I could compress the numbers using a higher range of characters, then it hit me. Why not use it for js compression
You see [...]
So there’s a well known technique for getting Object prototypes that are not from the current window which results in a fresh prototype. You use iframes to copy the required prototype from the iframe.contentWindow BUT…It doesn’t work in all browsers and it’s pretty silly having to copy each object manually, why not just use the [...]
JSReg has grown up a bit since I released the first version. You can now use it to monitor malicious javascript. I have a very basic example of this in Hackvertor, at the moment Hackvertor doesn’t support callbacks so it’s a bit of a hack but you will get the idea.
I use __defineSetter__ to [...]
Big thanks!
I’ve done lots of updates to JSReg with some fantastic help from kangax, sirdarckcat, Thornmaker and mario.
Mario found some cool parsing bugs, sirdarckcat helped with some exploits that assigned to window and also provided some awesome code ideas and bugs. Thornmaker found ternarys cause problems with my object detection. I’d also like [...]
This is the first time I’ve looked at the Firefox source, really! I wanted to find all the hidden properties Firefox has in Javascript. It was first pointed out to me by DoctorDan on the slackers forums when he found that the RegExp literal had a -1 value for the source in Firefox 2. [...]
I’ve been slowly developing JSReg over the last few months and I’ve dropped lots of code and redone it many times. This latest version is a code rewriter and will sandbox most javascript properties and the goal is to produce a complete locked down version (which can be improved upon later).
So far it’s going well, [...]