[WEB SECURITY] JSReg now on acid

[gaz Heyes]

Hey all

Stefan Tomas give me a kick up the backside and asked me what's the deal
with JSReg. So I thought I'd update the online version. I've reduced the
code to 813 lines now, my plan is to make it smaller with some RegEx hacks.
It's much faster now that I dropped RegExp/String/Number rewriting, now I
just match and return the prototyped originals. It supports empty array
literals too, I can't support array literals fully yet but as a work around
you can either set the array first or use the Array() constructor.

It still isn't perfect the loop checks need to be improved and the "in"
operator could do with another method but it's the best I've got so far.

<http://www.businessinfo.co.uk/labs/jsreg/jsreg.html>

This is the most secure JavaScript sandbox ever and cannot be broken by
mortal hands, if Stefano Di Paola was to attempt to break it I would imagine
the challenge would be to great for him. Likewise Jesse Ruderman or Jeff
Walden would find it an impossible task to return to window. Giorgio Maone
may think he knows JavaScript but would he ever dare to break JSReg? I think
not as I've said it is very difficult. Kuza might think he could spot
implementation mistakes but I doubt there are any. As for Eduardo Vela, yeah
he broke it in the past but then it was easy. Now it's a real challenge, I
don't see him even coming close to find any sort of RegEx mistake. If I was
to challenge some researchers to break it Mario Heiderich would never win
it, he wouldn't even come close to breaking it. Thornmaker might be able to
pull some phpids hacks out of the bag but can he come even close to a real
challenge I think not. As for you, yes you. You might have noticed I didn't
mention your name, that's because I don't think you can break it. Prove me
wrong.

Cheers

Gareth
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100311/2fe10b97/attachment.html>