My favorites | Sign in
Project Home Downloads Wiki Issues Source
Search
for
ObjectToSourceLeaksPrivates  
serializing an object can expose private state
Attack-Vector
Updated Feb 4, 2010 by mikesamuel@gmail.com

Object.toSource and uneval allow access to private fields

Effect

Untrusted code that can reference an object can get access to private fields by s erializing it using uneval and then parsing the resulting string.

Background

Object.toSource and uneval are non-standard members of Object.

toSource is defined in spidermonkey's JS1.3+ interpreters and provides a mechanism similar to Python's __repr__ method to allow object's to serialize themselves to code that can be evaled, so (new Date(2000, 0, 1)).toSource() === '(new Date(946713600000))'.

uneval does the same.

The act of serializing an object can expose it's private state. Serializing a function using either of these methods does not expose private variable state as evidenced by 

  var ctr = (function (idx) { return function () { return ++idx; }; })(0);
  ctr();
  ctr();
  ctr.toSource();

Assumptions

uneval and Object.toSource are accessible to untrusted code.

Versions

Firefox and possibly others.

Example

// Untrusted code
function untrusted(o) {
  // untrusted need not attempt to access private_ directly
  var privateValue = o.toSource().match(/private_:\s*(\d+)/)[1] * 1;
  alert('private value is ' + privateValue);
}

var o = { private_: 4 }
untrusted(o);
Comment by project member davidsar...@gmail.com, May 29, 2008

"Object.toSource and uneval are non-standard members of Object."

toSource is a non-standard member of Object; uneval is a non-standard global.

Comment by project member mikesamuel@gmail.com, Jun 5, 2008

yep. clarified that.


Sign in to add a comment
Powered by Google Project Hosting