We are able to make that all functions and variables inside our "control zone", behave the way we want, for example, we can make that a code get's executed everytime something accessed, modified, used, or called. To do so, we just have to learn to use some methods all variables have.
Here, you can modify the variable we are playing with:
The code that modifies the variable is:var theVar={value:"default"}; function act(o){ theVar.value=document.getElementById("toup").innerHTML=o.value; }
Now, the impact this may have, is attacking firefox plugins that access the document variables and functions (not using XPCWrappers), and injecting code in their context (a PoC of this will be delivered soon). Or making some very fancy and complex XSS attacks against the browser.
Another feature that will be discussed on this paper, is the Error.stack attribute that firefox has in their errors, it allows us to trace the stack at the moment of the error, to access it we just need to do
try{"error"();}catch(e){alert(e.stack)}
The output is simillar to:
the_stack()@file:///C:/k/jse2.html:28 standard_func("argument1","argument2")@file:///C:/k/jse2.html:31 @file:///C:/k/jse2.html:34
The interesting part, is that we acutally get access to the arguments, functions and files that
made the execution of the script finally get to our control. In firebug we get this result:
"@javascript: with (__scope__.vars) { with (__scope__.api) { with (__scope__.userVars) { with (window) {try {__scope__.callback(eval(__scope__.expr));} catch (exc) {__scope__.callback(exc, true);}}}}}:1 @javascript: with (__scope__.vars) { with (__scope__.api) { with (__scope__.userVars) { with (window) {try {__scope__.callback(eval(__scope__.expr));} catch (exc) {__scope__.callback(exc, true);}}}}}:1 "
This works the following way:
It will be called, every time the value get's changed.object.watch("property",function(id,prev_val,new_val){return new_val;})
Disable Watch Monitor - #topfunction WatchMonitor(onoff){ if(onoff){ theVar.watch("value",monitor); }else{ theVar.unwatch("value",monitor); } }
Here we will make that everytime that the string value of the variable get's accessed, a function will be executed.
Disable toString monitor - #topfunction toStringMonitor(onoff){ if(onoff){ theVar.tmp=theVar.value; theVar.value={toString:function(){monitor(1,1,1,1);return theVar.tmp;}}; }else{ delete(theVar.value.toString); theVar.value=theVar.tmp; } }
Here we will make that everytime that the numeric value of the variable get's accessed, a function will be executed.
Disable valueOf monitor - #topfunction valueOfMonitor(onoff){ if(onoff){ theVar.tmp=theVar.value; theVar.value={valueOf:function(){monitor(1,1);return theVar.tmp;}}; }else{ delete(theVar.value.valueOf); theVar.value=theVar.tmp; } }
Here we will re-define the alert() function.
Disable function redefinition - #topfunction redef(onoff){ if(onoff){ window.alert=function(x){ monitor(1); savedFunc(x); } }else{ delete(window.alert); } }