tag:blogger.com,1999:blog-7122745763234660283.post4574178010881397324..comments2024-02-18T02:36:33.709-08:00Comments on IMQ Minded Security Blog: Ye Olde Crockford JSON regexp is BypassableMinded Securityhttp://www.blogger.com/profile/01503616812076743415noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-7122745763234660283.post-69658981494068417582011-08-24T13:21:48.241-07:002011-08-24T13:21:48.241-07:00@Stefano
Right! And this gives me an idea, in th...@Stefano <br /><br />Right! And this gives me an idea, in that case you can simplify this to:<br /><br />{toString: self["doSom"], attr:name}<br /><br />removing the need for "+" in the payload. Tried it, it worked.Anonymoushttps://www.blogger.com/profile/11516786094492717236noreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-31616486574241372222011-08-23T22:53:05.587-07:002011-08-23T22:53:05.587-07:00@Krzysztof You can always count on any reachable f...@Krzysztof You can always count on any reachable function similar to this:<br /><br />function doSom(){<br /> eval(this.attr)<br />}<br /><br />then use {valueOf:self["doSom"], attr:"alert(6)"}<br /><br />@Anonymous yes, I already said that in the "countermeasusres and fix" section...Stefano Di Paolahttps://www.blogger.com/profile/18241677936736054546noreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-31690380867544314752011-08-23T11:02:08.445-07:002011-08-23T11:02:08.445-07:00The official json2.js library from JSON.org does n...The official json2.js library from JSON.org does not have this vulnerability. I continue to recommend the use of this library if there is any chance that applications will be running on pre-ES5 browsers such as IE8 and earlier.<br /><br />Get it at https://github.com/douglascrockford/JSON-jsAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-27210317199883978802011-08-22T13:48:51.865-07:002011-08-22T13:48:51.865-07:00Awesome find! And better yet, perfect timing for m...Awesome find! And better yet, perfect timing for my current project.<br /><br />As for other browsers one might use a similar vector but only if somewhere in the app is a function that basically looks like this:<br /><br />function goto() {<br />location = this;<br />}<br /><br />// A very rare case I suppose, but worth nothing.<br /><br />So instead of {valueOf: location, ...} we could use {valueOf:goto,...}<br /><br />I'm still looking for a vector NOT requiring +. Any idea (no charset fun) ?Anonymoushttps://www.blogger.com/profile/11516786094492717236noreply@blogger.com