On Mon, 03 Jan 2011 02:09:26 +0100, porneL <[email protected]> wrote:
Here's my first attempt:
https://gist.github.com/762984
Can you hack it?
Partially.
You use "0 + href.charCodeAt(i)" to convert the value to a number, but it
doesn't work.
If the return value of charCodeAt is a string, it instead prepend a zero.
I can use that by adding properties on Object.prototype matching values
that I want
to fake.
E.g., if you are at www.dummy.com, but I want to get the value secret for
www.fubar.com,
I return strings for the characters that don't match, so
hreft.charCodeAt(4) returns
"102" (string of ASCII code for "f") instead of 100 (number of ASCII code
for "d").
Then I have set Object.prototype["0102"]="d", and you will still assemble
the string
"www.dummy.com". Later when you compute the secret, the string is
converted to number
and the initial zero is ignored.
If the domain name you want to spoof has the same character occuring
several times,
either the domain name you start with need to have (possibly another) same
character
at the same positions. Or, you could have the charCodeAt function update
Object.prototype
each time its called.
The problems here are two: the bad conversion to number and the
possibility of injecting
properties into your dictionary objects using Object.prototype.
The former can be fixed by just writing "+href.charCodeAt(i)" instead.
The latter by testing whether each property is deletable (if you can
delete it, it's not
inherited) - but you have to take into account that the inherited property
might be a
an inherited getter, which gives the getter access to your object. That
would be BAD.
I can't see a good way to prevent that without using __proto__. Using
__proto__, you
can define the object literal with the extra property __proto__:null, to
sever the
prototype chain.
Another problem is that you accept numeric values above 256 from
charCodeAt, but assume
that it's only 8 bits. That means that the left shift used to store the
value sometimes
discards bits, making it possible for charCodeAt to return a numeric value
different
from the value that is eventually stored in the secret. Again this
discrepancy makes
it possible to seed the Object.prototype to return the correct letter
while using
the code of another letter in the secret. E.g., returning (1<<24 | 102)
with
Object.prototype[1<<24|102] = 'd', which would on three out of four
positions give
the correct secret for fubar.com while validating as dummy.com.
Pretty close, though. :)
I checked the availability of looking up single characters using
"string"[i]. It seems that
all current-version browsers have it. IE might not have had it before IE8,
though.
--
To view archived discussions from the original JSMentors Mailman list:
http://www.mail-archive.com/[email protected]/
To search via a non-Google archive, visit here:
http://www.mail-archive.com/[email protected]/
To unsubscribe from this group, send email to
[email protected]
