What's new? | Help | Directory | Sign in
Google
google-caja
A source-to-source translator for securing Javascript-based web content
  
  
  
  
    
Search
for
Updated Jul 11, 2008 by mikesamuel
AttackVectors  
Interpreter&Browser properties that can be exploited to escalate privileges.

Properties of Interpreters or the Browser Environment that allow Privilege Escalation

Below is a list of known attack vectors. We discuss the EcmaScript 3 language, quirks of existing interpreters, and browser specific extensions that could allow privilege escalation so that we can come up with tests for a safe javascript rewriter.

Attack Vectors at the EcmaScript/Javascript level

Attack Vectors at the Browser Environment, DOM, HTML, or CSS levels


Comment by futurama, Oct 14, 2007

Microsoft's JScript ecmascript implementation (used in Internet Explorer) supports "conditional compilation", which is kind of like conditional comments for scripts. If Caja doesn't strip or sanitize comments, this could be an attack vector in IE, like so: /@cc_on alert(document.cookie); @/ //@cc_on alert(document.cookie);

Comment by mikesamuel, Oct 16, 2007

Thanks. We do strip comments for that and other reasons. I have noted that under possible attack vectors.


Sign in to add a comment