|
AttackVectors
Interpreter&Browser properties that can be exploited to escalate privileges.
Properties of Interpreters or the Browser Environment that allow Privilege EscalationBelow is a list of known attack vectors. We discuss the EcmaScript 3 language, quirks of existing interpreters, and browser specific extensions that could allow privilege escalation so that we can come up with tests for a safe JavaScript rewriter or verifier. Attack Vectors at the EcmaScript/JavaScript level
Attack Vectors at the Browser Environment, DOM, HTML, or CSS levels
|
Sign in to add a comment
Microsoft's JScript ecmascript implementation (used in Internet Explorer) supports "conditional compilation", which is kind of like conditional comments for scripts. If Caja doesn't strip or sanitize comments, this could be an attack vector in IE, like so: /@cc_on alert(document.cookie); @/ //@cc_on alert(document.cookie);
Thanks. We do strip comments for that and other reasons. I have noted that under possible attack vectors.
Does caja protect against each of these attack vectors? If so, I suggest that each attack vector wiki page also briefly describe how caja protects against that attack vector, or points to where that can be found. (At least [EventChecksCircumventableByInfLoops?] does not currently do so.)
That's a good idea, Oresmus. You're right about EventChecksCircumventable?.... It's filed as a bug that I really need to get around to fixing.
I didn't know where to put this in one of the sections but it didn't quite fit but Firefox has some weird quirks.
E4X properties can be used with other objects:-
o=({'':1,'@$':1,'@':1}); alert(o.+o.@$+o.@)
and...
Number.prototype'*'?=function(str) { alert(str); } 1..(1)
OR .1.(1)
hidden FF properties:-
<img src=1 onerror="(function() { alert(arguments[-3][-6]); })();">
/a/-1? // a (DoctorDan? found this one on slackers) alert-5? // alert (string) 'test'-1? // length 4
gazheyes -- your comment got a bit mangled because of wiki quoting. Use triple-braces (see "verbatim code block" in the markup help below-right) to avoid that, or post to google-caja-discuss.
I '''think''' that any E4X at all in a script will be rejected by strict ES parsers, so it isn't much of a problem.
The hidden properties are potentially worrying, though, since numeric (including negative) property names are always allowed in Cajita, ADsafe and Jacaranda. Do these ever give access to private information or to non-primitive values?