martedì, febbraio 10, 2009

[jsn] isNative: a.k.a. the windmill war

Long long time ago me and Andrea Giammarchi have nothing better to do to understand if there was a way to understand if you were using a safe function in javascript or if you use a fake one.

We try very hard to make something reliable, and without fail we manage to crack every single code we wrote.

I gave up but since then every now and then I recall that days in which we enjoyed this "windmill war".
Since when I gave up I had an idea, I just tried to see if that I can work out something to make that idea work.

What IDEA?

Basically since we cannot know if a function is real I thought to make the browser fail if I try to eval some code, make the eval code call himself in an infinite loops.

<script type="text/javascript">
eval = function(str){

eval("alert('hello, proof');"); //too much recursion on FF, stack overflow on IE ;)

Basically if I extend this logic to all the string evaluating function
(Function object, eval, Object.eval, setTimeout, setInterval) made them using only one function It should work.


eval = function(){
return function(code){
(new Function(""+code))();

in this way if I try to use eval to rewrite Function I just can't because Function is called inside eval for the same principle of the first snippet I posted.

So why a windmill war?

Function caching to be precise,
in javascript I can write this code:

var f = eval

eval = function(str){
alert("I' m an evil functions! bwahahaha!");

So I don't need to use Function anymore to rewrote eval, I just Spoof the code,
I can send The spoofed code around using http request (for example a src in images...).

To recap, bear this in mind:
Javascript is so powerful in the way it leaves you modify its behaviour that is totally unreliable.