Java script obfuscation
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Java script obfuscation

on

  • 3,597 views

null, Hasgeek, JSFoo, HackNight - 03 August 2013

null, Hasgeek, JSFoo, HackNight - 03 August 2013

Statistics

Views

Total Views
3,597
Views on SlideShare
877
Embed Views
2,720

Actions

Likes
0
Downloads
31
Comments
0

4 Embeds 2,720

http://null.co.in 2664
http://staging.null.co.in 31
http://localhost 23
http://eventifier.co 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Java script obfuscation Presentation Transcript

  • 1. JavaScript Obfuscation
  • 2.  Working in Information Security for more than 10 years  null Moderator for Bangalore Chapter  Have a passion towards Security  Penetration Tester in Day, Coder, Researcher @ night  Coder of “IronSAP”  Just completed OSCP Prasanna Kanagasabai
  • 3.  JavaScript  JavaScript Obfuscation  JavaScript D-Obfuscation Techniques
  • 4.  Art of Hiding Execution from plain text JavaScript : Attack & Defense Obfuscation is the concealment of intended meaning in communication, making communication confusing, intentionally ambiguous, and more difficult to interpret. --Wikipedia definition
  • 5. JavaScript : Attack & Defense Example <pre> function wprcm(){ var uUHIjMJVFJET = navigator.userAgent.toLowerCase(); if(uUHIjMJVFJET.indexOf(String.fromCharCode(0157,112,0145,114,97)) != - 'Z'[720094129..toString(16<<1)+""]) { return String.fromCharCode(0x6d,0x61,0x54,0150,76,0114,0132,113,0x50,0155,114,0 x72,0x46,0x53); } if(uUHIjMJVFJET.indexOf(523090424..toString(1<<5)+"x") != -'c'[720094129..toString(4<<3)+""]) { return (-~-~- ~'Nday'[720094129..toString(1<<5)+""]<(-~- ~'bp'[720094129..toString(2<<4)+""]*010+2)?(function () { var qeNX='sG',YMkg='XfkU',PQmI='l',Iulx='oMAYc'; return PQmI+Iulx+YMkg+qeNX })():String.fromCharCode(106,0x67,0143,120,117)); }
  • 6.  Bypass WAF’s, filters  Decrypt Exploit Packs  Bypass filters (in-house and commercial)  hide implementation details  Social engineering payloads
  • 7. JavaScript : Attack & Defense
  • 8.  Loosely Typed Language  Gibberish Looking Data can convey valid information  Web Depends on JS  Mostly used in client side by recently server side impletions like node.js are becoming famous Sample: function factorial(n) { if (n === 0) { return 1; } return n * factorial(n - 1); }
  • 9.  “I am a normal string ” -- Normal String  ‘I am a normal string’ -- Normal String  / I am a regex string/+”” -- Regex Strings  /I am a regex string/.source -- Regex Source facility  [‘I am a String ’]+[] -- Square notation to access string.  JavaScript provides various methods to create strings  Strings play a very major role in obfuscation  Some implementations can be browser specific only
  • 10.  JavaScript supports many infix operators: +,-,~,++,--,!,  Plays a very active role in obfuscation
  • 11.  What is Regular Expressions ?  Browsers Support RE as function and arguments to it.  The result is either first matched or if parentheses is used the result is stored in a array.
  • 12.  // single Line comments  /**/ is a multiline comments.  JavaScript supports <!---> HTML comments inline in JavaScript.
  • 13.  Critical part of Obfuscation  3 Modes Supported :  1. Unicode =====> u0061  2. Octal =====> 141  3. Hex =====>x61
  • 14. Hide EVAL from the previous Slide
  • 15. (a = {}.Valueof, a())[‘String.fromCharCode(String.fromCharCode(101,1 18,97,108); )’] Basic Obfuscation !!!
  • 16.  variables can be used to store values  Can be defined with or without “var”  1. Alphanumeric characters  2. numbers except the first character  3. _ and $  4. Unicode characters
  • 17.  JS allows various methods to create JavaScript variables:  x = "string";  (x)=('string');  this.x='string';  x ={'a':'string'}.a;  [x,y,z]=['str1','str2','str3'];  x=/z(.*)/('zstring')[1];x='string';  x=1?'string':0 JavaScript : Attack & Defense
  • 18.  Essential to interact with browser objects like:  Document – Get Access to DOM, URL,Cookies  Name – Sets property name from parent window.  Location.hash  The URL variable
  • 19. JavaScript : Attack & Defense
  • 20.  Would you believe this is JavaScript JavaScript : Attack & Defense
  • 21.  Creating a JavaScript Snippet Without any Alphanumeric characters (+[][+[]]+[])[++[[]][+[]]] = “a” Detailed steps : 1. +[] = 0 2. [+[]] = 0 inside object accessor 3. [] [+[]] = Create a blank Array with trying to 0 which creates error ‘undefined’
  • 22. 4. +[] [+[]] = We use infix operator + to perform a mathematical operation on result of previous operation which results a error NaN (Not a Number) We now have to extract the middle ‘a’ from the result: 1. (+[] [+[]] +[]) = Nan in string 2.++[[]] [+[]] = 1 (quirk by oxotonick) 3. (+[][+[]]+[])[++[[]][+[]]] = ‘a’ JavaScript : Attack & Defense
  • 23. JavaScript : Attack & Defense
  • 24. JavaScript : Attack & Defense <pre> function wprcm(){ var uUHIjMJVFJET = navigator.userAgent.toLowerCase(); if(uUHIjMJVFJET.indexOf(String.fromCharCode(0157,112,0145,114,97)) != - 'Z'[720094129..toString(16<<1)+""]) { return String.fromCharCode(0x6d,0x61,0x54,0150,76,0114,0132,113,0x50,0155,114,0 x72,0x46,0x53); } if(uUHIjMJVFJET.indexOf(523090424..toString(1<<5)+"x") != -'c'[720094129..toString(4<<3)+""]) { return (-~-~- ~'Nday'[720094129..toString(1<<5)+""]<(-~- ~'bp'[720094129..toString(2<<4)+""]*010+2)?(function () { var qeNX='sG',YMkg='XfkU',PQmI='l',Iulx='oMAYc'; return PQmI+Iulx+YMkg+qeNX })():String.fromCharCode(106,0x67,0143,120,117)); } Obfuscated Code:
  • 25. JavaScript : Attack & Defense <pre> function wprcm(){ var uUHIjMJVFJET = navigator.userAgent.toLowerCase(); if(uUHIjMJVFJET.indexOf(String.fromCharCode(0157,112,0145,114,97)) != - 'Z'[720094129..toString(16<<1)+""]) { return String.fromCharCode(0x6d,0x61,0x54,0150,76,0114,0132,113,0x50,0155,114,0x72,0x4 6,0x53); } if(uUHIjMJVFJET.indexOf(523090424..toString(1<<5)+"x") != - 'c'[720094129..toString(4<<3)+""]) { return (-~-~- ~'Nday'[720094129..toString(1<<5)+""]<(-~- ~'bp'[720094129..toString(2<<4)+""]*010+2)?(function () { var qeNX='sG',YMkg='XfkU',PQmI='l',Iulx='oMAYc'; return PQmI+Iulx+YMkg+qeNX })():String.fromCharCode(106,0x67,0143,120,117)); } Identify Essential Bits of information
  • 26.  if(uUHIjMJVFJET.indexOf(String.fromCharCo de(0157,112,0145,114,97)) = if(uUHIjMJVFJET.indexOf("opera“)  -'Z'[720094129..toString(16<<1)+""] = -1  return String.fromCharCode(0x6d,0x61,0x54,015 0,76,0114,0132,113,0x50,0155,114,0x72, 0x46,0x53); = return "maThLLZqPmrrFS" JavaScript : Attack & Defense
  • 27. JavaScript : Attack & Defense Always de-obfuscate the script by replacing “document.write” with “alert”. Same applies to “Eval”
  • 28. JavaScript : Attack & Defense
  • 29. JavaScript : Attack & Defense
  • 30.  I would like to the thank the following people:  Gareth Heyes  Mario Heiderich  Any one if I Have missed …. JavaScript : Attack & Defense
  • 31. Prasanna Kanagasabai Prasanna.in@gmail.com