Skip to content
This repository has been archived by the owner on Feb 2, 2021. It is now read-only.

FunctionConstructor

Jump to bottom
Kevin Reid edited this page Apr 16, 2015 · 1 revision

(legacy labels: Attack-Vector)

Function constructor accessible via the 'constructor' property

Effect

Execution of unsanitized code in the global scope

Background

As discussed at http://code.google.com/p/google-javascript-type-system/issues/detail?id=2 the Function constructor allows for execution of unsanitized code.

EcmaScript 262 section 15.3.4.1 Function.prototype.constructor

The initial value of Function.prototype.constructor is the built-in Function constructor.

Assumptions

The Function constructor has not been replaced with something innocuous.

Versions

All

Example

((function () {}).constructor)(
    'alert("document.cookie = " + document.cookie)')()
Clone this wiki locally