java script obfuscation
DESCRIPTION
null, Hasgeek, JSFoo, HackNight - 03 August 2013TRANSCRIPT
![Page 1: Java script obfuscation](https://reader033.vdocuments.mx/reader033/viewer/2022051311/5404fd058d7f72a6768b4973/html5/thumbnails/1.jpg)
JavaScript Obfuscation
![Page 2: Java script obfuscation](https://reader033.vdocuments.mx/reader033/viewer/2022051311/5404fd058d7f72a6768b4973/html5/thumbnails/2.jpg)
Working in Information Security for more than 10
years
null Moderator for Bangalore Chapter
Have a passion towards Security
Penetration Tester in Day, Coder, Researcher @ night
Coder of “IronSAP”
Just completed OSCP
Prasanna Kanagasabai
![Page 3: Java script obfuscation](https://reader033.vdocuments.mx/reader033/viewer/2022051311/5404fd058d7f72a6768b4973/html5/thumbnails/3.jpg)
JavaScript
JavaScript Obfuscation
JavaScript D-Obfuscation Techniques
![Page 4: Java script obfuscation](https://reader033.vdocuments.mx/reader033/viewer/2022051311/5404fd058d7f72a6768b4973/html5/thumbnails/4.jpg)
Art of Hiding Execution from plain text
JavaScript : Attack & Defense
Obfuscation is the concealment of intended meaning in communication, making
communication confusing, intentionally ambiguous, and more difficult to interpret.
--Wikipedia definition
![Page 5: Java script obfuscation](https://reader033.vdocuments.mx/reader033/viewer/2022051311/5404fd058d7f72a6768b4973/html5/thumbnails/5.jpg)
JavaScript : Attack & Defense
Example
<pre>
function wprcm(){ var uUHIjMJVFJET = navigator.userAgent.toLowerCase();
if(uUHIjMJVFJET.indexOf(String.fromCharCode(0157,112,0145,114,97)) != -
'Z'[720094129..toString(16<<1)+""]) { return
String.fromCharCode(0x6d,0x61,0x54,0150,76,0114,0132,113,0x50,0155,114,0
x72,0x46,0x53); } if(uUHIjMJVFJET.indexOf(523090424..toString(1<<5)+"x")
!= -'c'[720094129..toString(4<<3)+""]) { return (-~-~-
~'Nday'[720094129..toString(1<<5)+""]<(-~-
~'bp'[720094129..toString(2<<4)+""]*010+2)?(function () { var
qeNX='sG',YMkg='XfkU',PQmI='l',Iulx='oMAYc'; return
PQmI+Iulx+YMkg+qeNX })():String.fromCharCode(106,0x67,0143,120,117)); }
![Page 6: Java script obfuscation](https://reader033.vdocuments.mx/reader033/viewer/2022051311/5404fd058d7f72a6768b4973/html5/thumbnails/6.jpg)
Bypass WAF’s, filters
Decrypt Exploit Packs
Bypass filters (in-house and commercial)
hide implementation details
Social engineering payloads
![Page 7: Java script obfuscation](https://reader033.vdocuments.mx/reader033/viewer/2022051311/5404fd058d7f72a6768b4973/html5/thumbnails/7.jpg)
JavaScript : Attack & Defense
![Page 8: Java script obfuscation](https://reader033.vdocuments.mx/reader033/viewer/2022051311/5404fd058d7f72a6768b4973/html5/thumbnails/8.jpg)
Loosely Typed Language
Gibberish Looking Data can convey valid information
Web Depends on JS
Mostly used in client side by recently server side
impletions like node.js are becoming famous
Sample:
function factorial(n) { if (n === 0) { return
1; } return n * factorial(n - 1); }
![Page 9: Java script obfuscation](https://reader033.vdocuments.mx/reader033/viewer/2022051311/5404fd058d7f72a6768b4973/html5/thumbnails/9.jpg)
“I am a normal string ” -- Normal String
‘I am a normal string’ -- Normal String
/ I am a regex string/+”” -- Regex Strings
/I am a regex string/.source -- Regex Source facility
[‘I am a String ’]+[] -- Square notation to access string.
JavaScript provides various methods to create strings
Strings play a very major role in obfuscation
Some implementations can be browser specific only
![Page 10: Java script obfuscation](https://reader033.vdocuments.mx/reader033/viewer/2022051311/5404fd058d7f72a6768b4973/html5/thumbnails/10.jpg)
JavaScript supports many infix operators:
+,-,~,++,--,!,
Plays a very active role in obfuscation
![Page 11: Java script obfuscation](https://reader033.vdocuments.mx/reader033/viewer/2022051311/5404fd058d7f72a6768b4973/html5/thumbnails/11.jpg)
What is Regular Expressions ?
Browsers Support RE as function and arguments to it.
The result is either first matched or if parentheses is
used the result is stored in a array.
![Page 12: Java script obfuscation](https://reader033.vdocuments.mx/reader033/viewer/2022051311/5404fd058d7f72a6768b4973/html5/thumbnails/12.jpg)
// single Line comments
/**/ is a multiline comments.
JavaScript supports <!---> HTML comments inline in
JavaScript.
![Page 13: Java script obfuscation](https://reader033.vdocuments.mx/reader033/viewer/2022051311/5404fd058d7f72a6768b4973/html5/thumbnails/13.jpg)
Critical part of Obfuscation
3 Modes Supported :
1. Unicode =====> \u0061
2. Octal =====> \141
3. Hex =====>\x61
![Page 14: Java script obfuscation](https://reader033.vdocuments.mx/reader033/viewer/2022051311/5404fd058d7f72a6768b4973/html5/thumbnails/14.jpg)
Hide EVAL from the previous Slide
![Page 15: Java script obfuscation](https://reader033.vdocuments.mx/reader033/viewer/2022051311/5404fd058d7f72a6768b4973/html5/thumbnails/15.jpg)
(a = {}.Valueof,
a())[‘String.fromCharCode(String.fromCharCode(101,1
18,97,108);
)’]
Basic Obfuscation !!!
![Page 16: Java script obfuscation](https://reader033.vdocuments.mx/reader033/viewer/2022051311/5404fd058d7f72a6768b4973/html5/thumbnails/16.jpg)
variables can be used to store values
Can be defined with or without “var”
1. Alphanumeric characters
2. numbers except the first character
3. _ and $
4. Unicode characters
![Page 17: Java script obfuscation](https://reader033.vdocuments.mx/reader033/viewer/2022051311/5404fd058d7f72a6768b4973/html5/thumbnails/17.jpg)
JS allows various methods to create JavaScript variables:
x = "string"; (x)=('string'); this.x='string'; x ={'a':'string'}.a; [x,y,z]=['str1','str2','str3']; x=/z(.*)/('zstring')[1];x='string'; x=1?'string':0
JavaScript : Attack & Defense
![Page 18: Java script obfuscation](https://reader033.vdocuments.mx/reader033/viewer/2022051311/5404fd058d7f72a6768b4973/html5/thumbnails/18.jpg)
Essential to interact with browser objects like:
Document – Get Access to DOM, URL,Cookies
Name – Sets property name from parent window.
Location.hash
The URL variable
![Page 19: Java script obfuscation](https://reader033.vdocuments.mx/reader033/viewer/2022051311/5404fd058d7f72a6768b4973/html5/thumbnails/19.jpg)
JavaScript : Attack & Defense
![Page 20: Java script obfuscation](https://reader033.vdocuments.mx/reader033/viewer/2022051311/5404fd058d7f72a6768b4973/html5/thumbnails/20.jpg)
Would you believe this is JavaScript
JavaScript : Attack & Defense
![Page 21: Java script obfuscation](https://reader033.vdocuments.mx/reader033/viewer/2022051311/5404fd058d7f72a6768b4973/html5/thumbnails/21.jpg)
Creating a JavaScript Snippet Without any
Alphanumeric characters
(+[][+[]]+[])[++[[]][+[]]] = “a”
Detailed steps :
1. +[] = 0
2. [+[]] = 0 inside object accessor
3. [] [+[]] = Create a blank Array with trying to 0 which
creates error ‘undefined’
![Page 22: Java script obfuscation](https://reader033.vdocuments.mx/reader033/viewer/2022051311/5404fd058d7f72a6768b4973/html5/thumbnails/22.jpg)
4. +[] [+[]] = We use infix operator + to perform a
mathematical operation on result of previous operation
which results a error NaN (Not a Number)
We now have to extract the middle ‘a’ from the result:
1. (+[] [+[]] +[]) = Nan in string
2.++[[]] [+[]] = 1 (quirk by oxotonick)
3. (+[][+[]]+[])[++[[]][+[]]] = ‘a’
JavaScript : Attack & Defense
![Page 23: Java script obfuscation](https://reader033.vdocuments.mx/reader033/viewer/2022051311/5404fd058d7f72a6768b4973/html5/thumbnails/23.jpg)
JavaScript : Attack & Defense
![Page 24: Java script obfuscation](https://reader033.vdocuments.mx/reader033/viewer/2022051311/5404fd058d7f72a6768b4973/html5/thumbnails/24.jpg)
JavaScript : Attack & Defense
<pre>
function wprcm(){ var uUHIjMJVFJET = navigator.userAgent.toLowerCase();
if(uUHIjMJVFJET.indexOf(String.fromCharCode(0157,112,0145,114,97)) != -
'Z'[720094129..toString(16<<1)+""]) { return
String.fromCharCode(0x6d,0x61,0x54,0150,76,0114,0132,113,0x50,0155,114,0
x72,0x46,0x53); } if(uUHIjMJVFJET.indexOf(523090424..toString(1<<5)+"x")
!= -'c'[720094129..toString(4<<3)+""]) { return (-~-~-
~'Nday'[720094129..toString(1<<5)+""]<(-~-
~'bp'[720094129..toString(2<<4)+""]*010+2)?(function () { var
qeNX='sG',YMkg='XfkU',PQmI='l',Iulx='oMAYc'; return
PQmI+Iulx+YMkg+qeNX })():String.fromCharCode(106,0x67,0143,120,117)); }
Obfuscated Code:
![Page 25: Java script obfuscation](https://reader033.vdocuments.mx/reader033/viewer/2022051311/5404fd058d7f72a6768b4973/html5/thumbnails/25.jpg)
JavaScript : Attack & Defense
<pre>
function wprcm(){ var uUHIjMJVFJET = navigator.userAgent.toLowerCase();
if(uUHIjMJVFJET.indexOf(String.fromCharCode(0157,112,0145,114,97)) != -
'Z'[720094129..toString(16<<1)+""]) { return
String.fromCharCode(0x6d,0x61,0x54,0150,76,0114,0132,113,0x50,0155,114,0x72,0x4
6,0x53); } if(uUHIjMJVFJET.indexOf(523090424..toString(1<<5)+"x") != -
'c'[720094129..toString(4<<3)+""]) { return (-~-~-
~'Nday'[720094129..toString(1<<5)+""]<(-~-
~'bp'[720094129..toString(2<<4)+""]*010+2)?(function () { var
qeNX='sG',YMkg='XfkU',PQmI='l',Iulx='oMAYc'; return PQmI+Iulx+YMkg+qeNX
})():String.fromCharCode(106,0x67,0143,120,117)); }
Identify Essential Bits of information
![Page 26: Java script obfuscation](https://reader033.vdocuments.mx/reader033/viewer/2022051311/5404fd058d7f72a6768b4973/html5/thumbnails/26.jpg)
if(uUHIjMJVFJET.indexOf(String.fromCharCode(0157,112,0145,114,97)) = if(uUHIjMJVFJET.indexOf("opera“)
-'Z'[720094129..toString(16<<1)+""] = -1 return
String.fromCharCode(0x6d,0x61,0x54,0150,76,0114,0132,113,0x50,0155,114,0x72,0x46,0x53); = return "maThLLZqPmrrFS"
JavaScript : Attack & Defense
![Page 27: Java script obfuscation](https://reader033.vdocuments.mx/reader033/viewer/2022051311/5404fd058d7f72a6768b4973/html5/thumbnails/27.jpg)
JavaScript : Attack & Defense
Always de-obfuscate the script by replacing “document.write” with “alert”.
Same applies to “Eval”
![Page 28: Java script obfuscation](https://reader033.vdocuments.mx/reader033/viewer/2022051311/5404fd058d7f72a6768b4973/html5/thumbnails/28.jpg)
JavaScript : Attack & Defense
![Page 29: Java script obfuscation](https://reader033.vdocuments.mx/reader033/viewer/2022051311/5404fd058d7f72a6768b4973/html5/thumbnails/29.jpg)
JavaScript : Attack & Defense
![Page 30: Java script obfuscation](https://reader033.vdocuments.mx/reader033/viewer/2022051311/5404fd058d7f72a6768b4973/html5/thumbnails/30.jpg)
I would like to the thank the following people:
Gareth Heyes
Mario Heiderich
Any one if I Have missed ….
JavaScript : Attack & Defense