1

I'm doing a code audit and the toString method can be overwriten by an attacker due to an unwanted behavior. It is overwritting the toString method with a string rather than a method.

Take the following code :

let a = new Object();
a.toString = "function(){ return 'hello world' }"

a.toString is a string and not a function here. Thus, a.toString() won't work.

Is there any hack possible that would result in accidentally executing the toString string (considering the string can be anything and not considering eval) ?

Improve this question
5
  • 1
    @T.J.Crowder I'm doing a code audit and the toString method can be rewriten. Since the input is coming from a client, it's overwritting the toString method of the instance with a string sent by a client. I was wondering if there were any security risk here. Commented Dec 8, 2018 at 14:26
  • 1
    @T.J.Crowder This is not a wanted behavior but a bug. Rest to discover if this bug is exploitable in some way. Commented Dec 8, 2018 at 14:30
  • @AnonBird - Now that makes sense. :-) I'd include that too. Commented Dec 8, 2018 at 14:32
  • It depends on what the attacker can do and what the rest of the code does with your a object. Commented Dec 8, 2018 at 14:34
  • @melpomene The whole (every method and attributes) of the object can be overwritten. Since this is a get variable coming from the client, I guess the only used method here is toString. This is a bug bounty and I don't have access to the source code. Commented Dec 8, 2018 at 14:45

1 Answer 1

Reset to default
1

From your clarifying comment:

I'm doing a code audit and the toString method can be rewriten. Since the input is coming from a client, it's overwritting the toString method of the instance with a string sent by a client. I was wondering if there were any security risk here.

Unless your code does something to turn that string into a function (eval(a.toString), new Function(a.toString), btn.onclick = a.toString;, ...), it won't become one, so in that sense it's not a security risk. Anything attempting to call toString on a (explicitly or implicitly) will get an error instead. For instance, here's an implicit use of toString:

let a = new Object();
a.toString = "function(){ return 'hello world' }"
String(a); // TypeError: a.toString is not a function

It's obviously not desirable, but you said it was a bug and you're trying to explore the degree to which it could be exploited. I'd say it's not particularly exploitable.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.