[cap-talk] [Caja] Re: JavaScript hacks

David-Sarah Hopwood david-sarah at jacaranda.org
Sat Apr 25 20:20:22 EDT 2009


[Apologies if this is a duplicate. I'm having problems with various list
subscriptions at the moment due to changing addresses.]

Ben Laurie wrote:
> [+google-caja-discuss]
> 
> On Sat, Apr 25, 2009 at 11:07 AM, Sandro Magi <naasking at higherlogics.com> wrote:
>> Some interesting JavaScript hacks are discussed on this page:
>>
>> http://dev.opera.com/articles/view/opera-javascript-for-hackers-1/
>>
>> Example such as executing arbitrary code from a regex and using Unicode
>> escaped function names, etc. This is certainly relevant in the context
>> of Caja.

Sorry to be a killjoy, but I'm not sure why any of these are interesting.

"RegExp replace can execute code":
  The author seems to be surprised at behaviour common to all languages
  with first-class functions. Anyway, no imaginative hackery using regexps
  is needed to exploit a page that does this:
    <script>somevariableUnfiltered="YOUR INPUT"</script>

  For example, just use:
    <script>somevariableUnfiltered=""+function(){ ... }()+""</script>

"Unicode escapes":
  Well-known and obvious. IIRC, all of the secure subsets disallow
  escapes in identifiers.

"JavaScript parser engine", "Throw, Delete what?",
"Global objects are statements":
  I don't see anything that JavaScript is doing differently from
  other imperative languages with exceptions in any of these examples.

"Getters/Setters fun"
  How could you get into the position of putting a setter on a global
  variable unless the page is already toast?

"Location allows url encoding"
  Obvious. Multiple layers of escaping to evade (very naive) filters
  is also obvious.

-- 
David-Sarah Hopwood ⚥



More information about the cap-talk mailing list