evel sandbox challenge
evel.js claims to provide a trustworthy sandbox for running untrusted JavaScript code in modern browsers…
…can you prove this wrong?
The Sandbox
The Rules
- Provide code that pops up an
alert
(or erases the page or causes network activity…) when evel
'ed.
- Any code given in this URL's fragment part (e.g.
#prompt("What%20is%20your%20quest?")
) will run automatically.
- Share any holes found in
evel
via github issues unless they are browser vulnerabilities…
- …for browser-specific bugs please responsibly contact the vendor. Do let me know something has been filed, please.
Known issues:
- (Most) JavaScript globals are intentionally exposed, as they should not be exploitable.
- Can't prevent infinite loops. Credit: Dominic Tarr
Constructor-based leaking in IE. Credit: Mario Heiderich
Function("return this")()
=== ouch. Credit: Stefano Di Paola
- Previous two fixed! Credit: Aaron Kumavis
Global leakage via `evel` itself! Credit: Mickael van der Beek
- 2015/Feb/3 — Fixed the previous self-inflicted vulnerability, added tests.
- clever exploit here?
© 2013-2015 Nathan Vander Wilt. Terms and conditions apply or something.