Testing Javascript - Prasanna K, ThoughtWorks


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Testing Javascript - Prasanna K, ThoughtWorks

  1. 1. JAVASCRIPT INTRODUCTION • Cement of the internet (personal thought) • De-facto language for web • Birth @ Netscape • Born as “Mocha” • Object oriented http://en.wikipedia.org/wiki/JavaScript
  2. 2. AGENDA • DOM XSS • CORS • JSON Hijacking • POST Message • JavaScript Obfuscation (+[] [+[]]+[])[++[[]][+[]]]+([![]]+[]) [++[++[[]][+[]]][+[]]]+([!![]]+[] )[++[++[++[[]][+[]]][+[]]] [+[]]]+([!![]]+[])[++[[]][+[]]]+([!![]]+[]) [+[]]  This is not child drawing it is code 
  3. 3. DOM XSS • Similarity with stored and Reflected XSS is it also results due to DOM Modification • The difference is in how it is triggered • Server might never see the payload Keywords : Source Filter Sink Source – Sink  Failure Source – Filter – Sink  Perfect https://www.owasp.org/index.php/DOM_Based_XSS https://www.owasp.org/index.php/DOM_based_XSS_Prevention _Cheat_Sheet
  4. 4. CORS – CROSS ORIGIN RESOURCE SHARING As per the HTTP standards one domain cannot communicate with other. But in some cases there might be a need for applications to talk to each other which is were CORS comes into play. CORS allows domains to speak to each other For CORS to work browser asks the server for permission by method of pre-flight, the server responds with actions it would support, the client then proceeds with the request Request Header: Origin: http://yourapplication.com Server Response: Access-Control-Allow-Origin: *
  5. 5. JSON HIJACKING (JSONP) • Cross Domain JSON sniffing. • Jsonp (JSON Padding) was created to communicate cross domain. • The JSON response is encapsulated in a function. • Malicious site could create a similar function call and get the contents of the JSON • The contact stealing attack of Jermiah grossman in gmail is a example of Json • Hijacking • Google uses while(1){XXXX} now in JSON which precedes the JSON.
  6. 6. POST MESSAGE “ inner = document.getElementById("inner").contentWindow; inner.postMessage(document.getElementById("val").value, "*"); ” postMessage allows cross domain communication. One of the major flaw is fact that the receiver needs to verify if communication was for him before using it. PostMessage expects a target to given but supports a wildcard. Which can be abused Input validation issues could lead to XSS https://developer.mozilla.org/en- US/docs/Web/API/Window.postMessage http://www.cs.utexas.edu/~shmat/shmat_ndss13postman.pdf
  7. 7. JAVASCRIPT OBFUSCATION Art of Hiding data in plain text Why obfuscation • Bypass WAF’s, filters • Decrypt Exploit Packs • Bypass filters (in-house and commercial) • hide implementation details • Social engineering payloads
  8. 8. Creatinga JavaScriptSnippetWithoutanyAlphanumericcharacters (+[][+[]]+[])[++[[]][+[]]] = “a” Detailedsteps: 1. +[]=0 2. [+[]]=0inside objectaccessor 3. [][+[]]=Createa blankArray withtrying to0whichcreateserror ‘undefined’ ALPHA NUMERICJS
  9. 9. 4. +[][+[]] =We useinfixoperator+ toperform a mathematical operationonresultofpreviousoperationwhichresultsa error NaN (Not a Number) We nowhaveto extractthemiddle‘a’ fromtheresult: 1. +[][+[]]+[]=Nan instring 2.++[[]][+[]]=1(quirkbyoxotonick) 3.(+[][+[]]+[])[++[[]][+[]]]=‘a’ J A V A S C R I P T : A T T A C K & D E F E N S E ALPHA NUMERICJS
  10. 10. Lets Trying ‘l’ We can find l in “false” Fact ‘’==0 will be true opp of this is false ([![]]+[]) == “false” ++[++[[]][+[]]][+[]] Use previous quirk to get 2 Combine them to create ‘l’ ([![]]+[]) [++[++[[]][+[]]][+[]]] == l J A V A S C R I P T : A T T A C K & D E F E N S E ALPHA NUMERICJS
  11. 11. DEMO (+[] [+[]]+[])[++[[]][+[]]]+([![]]+[]) [++[++[[]][+[]]][+[]]]+([!![]]+[] )[++[++[++[[]][+[]]][+[]]] [+[]]]+([!![]]+[])[++[[]][+[]]]+([!![]]+[]) [+[]] “alert”
  12. 12. {“Email”,”shifu@thoughtworks.com”}