Mental JS suffers from a sandbox bypass due to the ability to still execute javascript via document.inner.HTML.
d3c1668d510834211878dda3ef864e35ccdb1c64178a379e9c6c843e14ba7119
#Title: Mental JS Sandbox Bypass
# Product: Mental JS
# Author: Rafay Baloch And Gliuseppe Trotta (@guitro)
# Company: RHAINFOSEC
# Website: http://services.rafayhackingarticles.net
============
Description
============
Mentaljs is a js sandbox created by Gareth Heyes, the JS sandbox is
inserted at beginning of the html response, therefore preventing the
attacker to access dom elements.
============
Vulnerability
============
It was still possible to access DOM elements with mental js enabled by
executing javascript via document.inner.HTML property.
================
Proof of concept
================
The POC is as follows:
http://www.modsecurity.org/demo/demo-deny-noescape.html?test=%3Cscript%3Edocument.body.innerHTML=%22%3Cform+onmouseover=javascript:alert(0);%3E%3Cinput+name=attributes%3E%22;%3C/script%3E