The Good Parts of JavaScript and the Web The Good Parts of JavaScript and the Web

Identifying Security Vulnerabilities - Continued

Check out a free preview of the full The Good Parts of JavaScript and the Web course:
The "Identifying Security Vulnerabilities - Continued" Lesson is part of the full, The Good Parts of JavaScript and the Web course featured in this preview video. Here's what you'd learn in this lesson:

Doug continues to field audience questions about the vulnerabilities in the code.

Get Unlimited Access Now

Transcript from the "Identifying Security Vulnerabilities - Continued" Lesson

[00:00:00]
>> [MUSIC]

[00:00:04]
>> Douglas Crockford: So, we've gotten very close a couple of times. It is concerned with Push. It is concerned with a function that will return this.
>> Speaker 2: So, I return this or uses this, it's referring to.
>> Douglas Crockford: The array or is it referring to vector?
>> Speaker 2: The array.
>> Douglas Crockford: So [INAUDIBLE] through the length of [INAUDIBLE].

[00:00:44]
>> Speaker 3: If you push a function onto If you append a function onto this. You call that.
>> Speaker 3: Is it not passing a function to one of these?
>> Douglas Crockford: Yes, it does.
>> Speaker 3: If that function includes this inside of it and you call that function what the scope of this?

[00:01:19] They would be.
>> Douglas Crockford: It will depend on how the function is called bit there are four different ways to call a function and what happens to this depends on which form of call it is.
>> Speaker 3: We want it to be.
>> Douglas Crockford: You want it to be the method form?

[00:01:42]
>> Speaker 3: What's that look like?
>> Douglas Crockford: It looks like a method invocation.
>> Speaker 3: Okay.
>> Speaker 4: The function could assign this to a global.
>> Douglas Crockford: It could.
>> Douglas Crockford: Right, that's not so and in fact that is a possible way of exploiting this. But it's not key to the attack.
>> Speaker 3: Okay, so I passed in, I pushed on to the end of the function which console logs this zero and it's sending, it's getting, it’s putting the first joint in the array into the console.

[00:02:33]
>> Douglas Crockford: Right, but they can get the first element of the array simply by calling push.
>> Speaker 3: We want to hoard, right?
>> Douglas Crockford: Not necessarily the whole contents of the array but the array object itself. That's the thing that we're trying to protect.
>> Speaker 3: Right, so I pass in a, okay, got it.

[00:02:54]
>> Speaker 4: Can you call this.this.array? From a function that you pass in and you're storing I don't think that's poking around the construct right past it all. I'm sorry but it just struck instructor.
>> Douglas Crockford: That's not to help you. This by itself. If you get it done correctly as
>> Speaker 5: So, I don't have this bound correctly, but I passed in a function that returns a console log this bound that via get to a variable and then call the variable.

[00:03:29] That's returning the window object getting on the right track or not but
>> Douglas Crockford: No, it's not. You can get to the window object without calling it [CROSSTALK] [LAUGH]
>> Speaker 5: Thanks, Douglas.
>> Speaker 3: All I do is push a function on it returns this. And so now-
>> Speaker 3: Because I need to know how many items sir, now I'm gonna get this function here I guess I need to know how many items are on it.

[00:04:03] So like, so now I have to actually choose store, looks like.
>> Douglas Crockford: Right.
>> Speaker 3: So, I'm gonna store at a position, say five Function that returns this. Now is all I have to call is get five pairings and the result of that's gonna be the array.
>> Douglas Crockford: No, it's not but you're getting closer.

[00:04:26] You do want to store your function
>> Speaker 3: Okay.
>> Douglas Crockford: So, the thing you haven't got yet is the value of i.
>> Speaker 3: [LAUGH]
>> Speaker 3: We never got the value of i.
>> Douglas Crockford: Yeah, there is a specific value of i that makes this attack work.
>> Speaker 5: Undefined?
>> Douglas Crockford: Nope.

[00:05:04]
>> Speaker 3: One?
>> Douglas Crockford: [LAUGH] No, what will happen if you say negative one.
>> Speaker 3: I have no idea.
>> Douglas Crockford: Well, it'll take the brackets. Right, the brackets will say take that number try to link it to a string you get the string dash one and then it will store a array dot dash one.

[00:05:26] That's where it goes.
>> Speaker 3: JavaScript objects don't fill in if you set a really high number, do they?
>> Douglas Crockford: Nope.
>> Speaker 3: Cuz they're not really arrays.
>> Douglas Crockford: They're really half arrays.
>> Speaker 3: Yeah.
>> Speaker 6: Do we have to do the max number. That number.
>> Douglas Crockford: No.
>> Speaker 6: You're not trying to store it current length plus one.

[00:05:58]
>> Douglas Crockford: No.
>> Speaker 3: You don't know the length.
>> Speaker 6: No, you're right
>> Douglas Crockford: This is the way.
>> Speaker 6: So, is I we want to pass and this to refer to the reaction.
>> Douglas Crockford: I'm sorry.
>> Speaker 6: Is I we want to pass and this to refer to the Rapture.
>> Douglas Crockford: No, you want the reference to this to be in the function of the house.

[00:06:33]
>> Speaker 3: I don't know it seems to me that you could, but first of all you have to know that this vector perhaps that it's an array that you're dealing with, I would think
>> Douglas Crockford: Right.
>> Speaker 3: If you-
>> Douglas Crockford: We'll assume that the autocracy is the source code [CROSSTALK]

[00:06:46]
>> Speaker 3: You said an arbitrary value, then you're obliterating that arbitrary value, so let's just choose a random number five. First, you've gotta get five. So, now you've got that. Now, you can set five to this function that returns the whole array.
>> Douglas Crockford: Right.
>> Speaker 3: And then, if you need to fix five in that array with the woman you got the first time.

[00:07:05]
>> Douglas Crockford: Right.
>> Speaker 3: And now you've got the right one but you don't don't.
>> Douglas Crockford: Not because in order for the binding of this to happen. You have to call it as a method in this context.
>> Speaker 3: Yeah, I'm just playing in the console window here.
>> Speaker 3: Okay, yeah.

[00:07:32]
>> Speaker 3: I'm not sure I remember, obviously, things that you do. Act like I put a new menu here.
>> Douglas Crockford: Right.
>> Speaker 6: So, there's a specific value of i ever you need to store this function.
>> Douglas Crockford: Yes.
>> Speaker 6: Okay. Trying to get the maybe?
>> Douglas Crockford: Nope.
>> Douglas Crockford: So, are you stumped?

[00:07:54]
>> Speaker 7: It's not undefined he said. So [LAUGH]
>> Douglas Crockford: It's not undefined. No?
>> Speaker 7: [LAUGH]
>> Speaker 3: Null.
>> Douglas Crockford: it's not. Its not null its not one.
>> Speaker 6: Could you pass it one of the array functions like math?
>> Douglas Crockford: You can, but that's not going to help you.
>> Speaker 3: Zero?

[00:08:15]
>> Douglas Crockford: It's not zero.
>> Speaker 3: How could some magic number, hey come on.
>> Speaker 6: [LAUGH] Is it 42? Is it three?
>> Speaker 7: Is it factor.prototype, or something like that?
>> Douglas Crockford: Nope.
>> Speaker 7: It's not some weird magic number.
>> Douglas Crockford: It's not a weird magic number.
>> Speaker 7: Okay.
>> Speaker 6: 42.
>> Speaker 7: That's high.

[00:08:32] That is very strange.
>> Douglas Crockford: In fact, it's not even a number.
>> Speaker 3: Is it not a number?
>> Douglas Crockford: It is not not a number.
>> Speaker 3: [LAUGH] It's a number!
>> Douglas Crockford: [LAUGH] Not a number is a number.
>> Speaker 7: So, it is not a number, like NAN?
>> Speaker 3: No it's not NAN.

[00:08:55]
>> Douglas Crockford: No, it's not NAN.
>> Speaker 3: How about function?
>> Speaker 7: I say we just go for it, what do you guys think?
>> Speaker 3: Are you gonna make him tell us?
>> Speaker 7: You guys must have very serious hacking
>> Speaker 3: I can not give up the answer, we could be here all day Somebody Google it, so we can pretend like we got it.

[00:09:21]
>> Speaker 7: After overflow.
>> Speaker 6: [LAUGH] is eval play anywhere in this.
>> Douglas Crockford: No, we're not using eval. That's a really good question. Eval is full of trouble but that's, we're not concerned about eval here.
>> Speaker 3: It is a string?
>> Douglas Crockford: It is a string.
>> Speaker 3: For each.
>> Douglas Crockford: Nope.

[00:09:46]
>> Speaker 6: [LAUGH] The empty string.
>> Douglas Crockford: So, it's not the empty string.
>> Speaker 6: The string this?
>> Douglas Crockford: It is not two string.
>> Speaker 4: [LAUGH] It is not the string this?
>> Douglas Crockford: It is not the string this.
>> Speaker 7: This is a key, this is.
>> Speaker 3: Is it every?
>> Douglas Crockford: It is not every.

[00:10:19]
>> Speaker 7: Not the string or array.
>> Speaker 3: There's another function that you can call an array.
>> Douglas Crockford: Yes.
>> Speaker 3: Well, okay, is it
>> Douglas Crockford: Yes, it is one of those.
>> Speaker 3: Okay.
>> Speaker 7: So, it has to be in array method, it's push.
>> Douglas Crockford: It is push.
>> Speaker 3: So, you set.

[00:11:03]
>> Douglas Crockford: Right, so.
>> Speaker 3: You store push.
>> Douglas Crockford: We store push with a function that has access to this. So, then the question is, how do you get that function to get called?
>> Speaker 3: You call a pen.
>> Douglas Crockford: You call a pen. Ladies and gentlemen.
>> [APPLAUSE]