Published 11 years 10 months ago • Last updated March 24, 2025 • ⏱️ < 1 min read
I managed to find time to fix a couple of MentalJS bypasses by LeverOne and Soroush Dalili (@irsdl). LeverOne's vector was outstanding since it bypassed the parsing itself which is no easy task. The vector was as follows:
for(var i i/'/+alert(location);0)break//')
Basically my parser was inserting a semi colon in the wrong place causing a different state than the actual state executed. My fix inserts the semi colon in the correct place. Before the fix the rewritten code looked like this:
for (var i$i$; / '/+alert(location);0)break//')
As you can see the variables have been incorrectly joined and so the next state is a regex whereas Mental thinks it's a divide. After the fix the rewritten code looks like this:
for (var i$;i$ / '/+alert(location);0)break//')
So now the divide is an actual divide. Technically I shouldn't be inserting a semi-colon in the for statement, I might fix this at a later stage if I have time.
The second bypass was from Soroush that basically assigned innerHTML on script nodes bypassing the rewriting completely. Cool bug. The fix was pretty simple, I prevented innerHTML assignments on script nodes. Here is the bypass:-
parent=document.getElementsByTagName('body')[0]; img=document.getElementsByTagName('img')[0]; x=document.createElement('script'); x.innerHTML='alert(location)'; parent.appendChild(x);