locked
New Update - Fixed a few exploits RRS feed

  • General discussion

  • We propped a new update of the Web Sandbox.

    This fixes a few exploits that were discovered in the past day.  We are sharing these to illustrate a few potential attack vectors.  The fix was the same - we needed to deny setting the contents of the scripts (there are a couple of mechanisms).   Also, to illustrate how the system works, the fix merely involved overriding the script element rules for innerHTML, appendChild, etc., with an explicity deny rule (no heavy lifting was necessary).

    <html>
         <head>
             <title>Your Gadget's Title</title>
             <script type="text/javascript">
                function splode() {
                    document.write('\x3cscript\x3ealert('got you');\x3c/script\x3e');
                }
             </script>
             <style type="text/css">
                 /* CSS Styles Goes here */
             </style>
         </head>
         <body onload="splode()">
             <p>Your Gadget's HTML goes here.  Your HTML must be well-formed.</p>
         </body>

    </html>


    <html>
         <head>
             <title>Your Gadget's Title</title>
             <script type="text/javascript">
                function splode() {

                    var el = document.createElement("script");
                    el.innerHTML = "alert(1)";
                    document.body.appendChild(el);
                }
             </script>
             <style type="text/css">
                 /* CSS Styles Goes here */
             </style>
         </head>
         <body onload="splode2()">
             <p>Your Gadget's HTML goes here.  Your HTML must be well-formed.</p>
         </body>

    </html>


    Enjoy,
    Scott

    Saturday, October 25, 2008 12:25 AM

All replies

  • so let me get this straight, for a gadget to be implemented in a blog it must have the script AND the html within one area called the sandbox? what if I embed a gadget that needs me to name any element on the page with a specific ID, then pass the id back to the script of the gadget for it to do things? like setting content... would it work? example is the swfobject

    I hope im on the same page here, i maybe totally off topic, forgive my ignorance :) so be nice!
    Thursday, October 30, 2008 4:59 AM
  • I will use your swobject loading as an example possibly clearify how to handle your more general question.

    One Note: We currently do not support this scenario because objects can escape the sandbox due to their higher privileges within the browser. We do have ideas on how to possibly deal with this scenario but currently have none of them implemented.

    The example that you describe with the swfobject in most cases can be contained completely within a sandboxed section. 

    To illustrate, you would sandbox some code similar to what's displayed below:

    <html> 
    <head> 
    <script src="swfobjectloader.js"/>  
    <script> 
    function OnLoadFunction()  
    {  
        LoadSwf(document.getElementById('swfloadlocation'));  
    }  
    </script> 
    </head> 
    <body onload="OnLoadFunction()">  
    <div id="swfloadlocation">swf loads here</div> 
    </body> 
    </html> 

    There are a few notes about this scenario:
    1. The swfobjectloader.js is put within the sandboxed section because we dont want it to create holes within the sandbox.
    2. We still have a definitive display boundary by default similar to a iframe (augmentations of the sandbox policies could allow more interesting interactions, e.g. rendering in two different sandboxed display sections)
    3. I think with this scenario you were possibly asking about communication between the sandboxed world and the un-sandboxed world (host). In this case we have not defined a set way to communicate between these two realms. We do cast all objects passing between the boundary as a native type so there is no accidental security holes created. As I hinted in note #2, one could define there own communication bus APIs via policies, that could be available to all "gadgets" or a select few on the same page.

    I hope I answered you question. If you have anymore questions or would like further detail don't hesitate.

    Thursday, October 30, 2008 6:41 AM