List of constructors that refer to window w/o parenthesis

By Pepe Villa (@cgvwzq ) - http://jsfiddle.net/MhLPG/1/

By
skeptic_fx 1 Seen 486 times
Tags
window xss no-parenthesis constructor
Run this test now.

Results


Tested on
Chrome - 55 - Mac OS X
ConstructorType of Object
[new Text][0]['ownerDocument']Document
[new Range][0]['startContainer']Document
[new Range][0]['endContainer']Document
[new Range][0]['commonAncestorContainer']Document
[new Option][0]['ownerDocument']Document
[new Option][0]['firstChild']Node/Window
[new Option][0]['lastChild']Node/Window
[new Image][0]['ownerDocument']Document
[new Audio][0]['ownerDocument']Document
[new DocumentFragment][0]['ownerDocument']Document
[new Comment][0]['ownerDocument']Document

Tested on
Chrome Mobile - 41 - Android
ConstructorType of Object
[new Audio][0]['ownerDocument']Document
[new Text][0]['ownerDocument']Document
[new Range][0]['commonAncestorContainer']Document
[new Range][0]['endContainer']Document
[new Range][0]['startContainer']Document
[new Option][0]['ownerDocument']Document
[new Option][0]['lastChild']Node/Window
[new Option][0]['firstChild']Node/Window
[new Image][0]['ownerDocument']Document
[new DocumentFragment][0]['ownerDocument']Document
[new Comment][0]['ownerDocument']Document

Tested on
Firefox - 47 - Mac OS X
ConstructorType of Object
[new Comment][0]['ownerDocument']Document
[new Text][0]['ownerDocument']Document
[new Range][0]['startContainer']Document
[new Range][0]['endContainer']Document
[new Range][0]['commonAncestorContainer']Document
[new DocumentFragment][0]['ownerDocument']Document

Tested on
Googlebot - 2.1 - undefined
ConstructorType of Object
[new Audio][0]['ownerDocument']Document
[new Text][0]['ownerDocument']Document
[new Range][0]['commonAncestorContainer']Document
[new Range][0]['endContainer']Document
[new Range][0]['startContainer']Document
[new Option][0]['ownerDocument']Document
[new Option][0]['lastChild']Node/Window
[new Option][0]['firstChild']Node/Window
[new Image][0]['ownerDocument']Document
[new DocumentFragment][0]['ownerDocument']Document
[new Comment][0]['ownerDocument']Document

Tested on
IE - 11 - Windows 7
ConstructorType of Object
No Data enumerated. The Data Array was empty.

Tested on
IE Mobile - 11 - Windows Phone 8
ConstructorType of Object
No Data enumerated. The Data Array was empty.

Tested on
Mobile Safari - Unknown Version - iOS
ConstructorType of Object
No Data enumerated. The Data Array was empty.

Tested on
Safari - 9.1.2 - Mac OS X
ConstructorType of Object
[new Comment][0]['ownerDocument']Document
[new DocumentFragment][0]['ownerDocument']Document
[new Range][0]['startContainer']Document
[new Range][0]['endContainer']Document
[new Range][0]['commonAncestorContainer']Document
[new Text][0]['ownerDocument']Document

User Script (ENUM_FUNCTION)

					
function test(data){
// data is the input variable that is supplied from the Enumeration List.

// For this module, we don't process the input data.
  addResult(data, (eval(data) instanceof Document)?'Document': 'Node/Window');

}


					
				

Enum Data (ENUM_FUNCTION)

					
var data = [];

// List all constructor that doesn't need params
var i, d=[], foo = Object.getOwnPropertyNames(window), c;
for (i in foo) {
  try {
     c = window[foo[i]];
     if (c.prototype && c === c.prototype.constructor) {
         try {
             new c;
             d.push(foo[i]);
         } catch (e){}
     }
  } catch(e){}
}

// Check every new object for params that refer to document or window
var j, e;
for (i in d) {
    try{
        c = new window[d[i]];
        for (j in c) {
            e = c[j];
            console.log(e instanceof Node);
            if (e instanceof Node || e instanceof window.constructor) {
                data.push("[new "+d[i]+"][0]['"+j+"']");
            }
        }
    }catch(e){ console.log(e);}
}

console.log(data);