[cap-talk] [Caja] Re: JavaScript hacks
David-Sarah Hopwood
david-sarah at jacaranda.org
Sat Apr 25 20:20:22 EDT 2009
[Apologies if this is a duplicate. I'm having problems with various list
subscriptions at the moment due to changing addresses.]
Ben Laurie wrote:
> [+google-caja-discuss]
>
> On Sat, Apr 25, 2009 at 11:07 AM, Sandro Magi <naasking at higherlogics.com> wrote:
>> Some interesting JavaScript hacks are discussed on this page:
>>
>> http://dev.opera.com/articles/view/opera-javascript-for-hackers-1/
>>
>> Example such as executing arbitrary code from a regex and using Unicode
>> escaped function names, etc. This is certainly relevant in the context
>> of Caja.
Sorry to be a killjoy, but I'm not sure why any of these are interesting.
"RegExp replace can execute code":
The author seems to be surprised at behaviour common to all languages
with first-class functions. Anyway, no imaginative hackery using regexps
is needed to exploit a page that does this:
<script>somevariableUnfiltered="YOUR INPUT"</script>
For example, just use:
<script>somevariableUnfiltered=""+function(){ ... }()+""</script>
"Unicode escapes":
Well-known and obvious. IIRC, all of the secure subsets disallow
escapes in identifiers.
"JavaScript parser engine", "Throw, Delete what?",
"Global objects are statements":
I don't see anything that JavaScript is doing differently from
other imperative languages with exceptions in any of these examples.
"Getters/Setters fun"
How could you get into the position of putting a setter on a global
variable unless the page is already toast?
"Location allows url encoding"
Obvious. Multiple layers of escaping to evade (very naive) filters
is also obvious.
--
David-Sarah Hopwood ⚥
More information about the cap-talk
mailing list