Loading ...
Sorry, an error occurred while loading the content.

245Re: ADsafe and bind

Expand Messages
  • marcel.laverdet
    Sep 8, 2008
    • 0 Attachment
      --- In caplet@yahoogroups.com, "Kris Zyp" <kris@...> wrote:
      >
      > Of course the attack assumes that the host uses Prototype and also has an iframe on the
      > page, but I imagine such cases aren't hard to find. There's also several other ways you can
      > get window without even depending on Prototype:
      > ([].slice || 0)(0)
      > ([].sort || 0)()
      > ([].forEach || 0)(function(a,b,win){ })
      >
      > So now you're in a tough situation. Do you blacklist all of those vectors? I see you're
      > currently using mozilla() to handle concat, reverse, and sort but that approach won't work
      > consistently on all sites. Additionally you run into the problem that by poking around at
      > Array.prototype you break hosts that use for (var ii in arr); for array iteration under the
      > assumption that Array.prototype contains only DontEnum properties.
      >
      > When does mozilla() not work to fix concat, reverse, sort, slice, and forEach? Is it when the host site also wants to fiddle with
      the prototypes (of course this could simply be documented to be unsafe)? Also, the mozilla() fix function replaces value in
      existing slots, it doesn't seem to affect the DontEnum property in the environments I quickly tried (nor break array
      enumeration). Is there are a particular environment where these replacements cause array enumeration breakage?
      > Anyway, thanks for the help and information,
      > Kris
      >

      mozilla() does not work if you haven't called it on a vulnerable method (of which there are at least a dozen in Firefox). In the
      current version of adsafe.js, only concat, reverse, and sort are correctly fixed with mozilla(). Also, like I said it's very common to
      augment Array with unsafe methods. It's also unreasonable to expect a host environment to understand the dangers of
      augmenting Array.prototype. Many libraries augment Array.prototype, and in most cases the host won't even be aware.

      You're correct that the current use of mozilla() won't break any browsers since it only replaces widely-implemented methods,
      however right below that Array.prototype.filter is created if it doesn't exist. If filter doesn't exist it won't have DontEnum set, and
      will therefore create an enumerable property on Array.prototype. This will affect at least IE6.

      Also a quick side note -- I just noticed in adsafe.js this line:
      Object.prototype.eval = null;

      I think this was recently added because I didn't notice it earlier? Anyway, it's important to check for the existence of
      Object.prototype.eval before attempting to null it out or you end up creating a globally-inherited property for which DontEnum
      is not set. That will of course break pretty much any existing code that doesn't use hasOwnProperty in every for(in) loop.
    • Show all 13 messages in this topic