Coder Social home page Coder Social logo

e-secks / lesson-env-vuln Goto Github PK

View Code? Open in Web Editor NEW
0.0 0.0 1.0 3 KB

i-Ready lesson vulnerability that tricks lesson into changing enviroments

License: MIT License

hack i-ready i-ready-hack i-ready-hacks iready iready-cheat iready-hack iready-hacks iready-javascript iready-lesson iready-mod iready-overload javascript vulnerability

lesson-env-vuln's Introduction

i-Ready Lesson Environment Vulnerability

This vulnerability in i-Ready's lesson allows for manipulation, tricking the lesson into changing environments.

How it Works

i-Ready's lesson checks the environment using the following code:

key: "isIntegratedEnvironment",
value: function e() {
  return window !== window.parent
}

This code is highly vulnerable as window.parent can be overridden, posing a security risk. A more secure alternative would be using window.top, which cannot be overridden. Interestingly, other parts of the codebase use window.top, but this specific instance uses window.parent. Furthermore, using window.parent here can cause the code to break if used before the lesson is fully loaded due to improper checks elsewhere.

Usage

i-Ready enviroment

This manipulates the lesson into thinking it's in an iframe within the actual i-Ready environment.

html5Iframe.contentWindow.parent = { postMessage : console.log }

Note: Setting postMessage to console.log is done to prevent errors and observe the behavior of the associated Penpal.

Local enviroment

This manipulates the lesson into thinking it's not in an iframe, simulating the scenario where the URL is directly opened.

html5Iframe.contentWindow.parent = html5Iframe.contentWindow

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.