JavaScript Obfuscation

6,546 views

Published on

null Banglore June - 2012 Meet

Published in: Education, Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
6,546
On SlideShare
0
From Embeds
0
Number of Embeds
421
Actions
Shares
0
Downloads
101
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide
  • Division Title of presentation, CorpoS, Bold (10pt), Date
  • Division Title of presentation, CorpoS, Bold (10pt), Date
  • JavaScript Obfuscation

    1. 1. JavaScript Obfuscation
    2. 2. Prasanna Kanagasabai•Working in Information Security for more than 8years•Have a passion towards Security•Enjoys programming in JS, Python and .NET
    3. 3. Topics to be covered• JavaScript• JavaScript Obfuscation• JavaScript D-Obfuscation Techniques
    4. 4. What is Obfuscation<pre>function wprcm(){ var uUHIjMJVFJET =navigator.userAgent.toLowerCase();if(uUHIjMJVFJET.indexOf(String.fromCharCode(0157,112,0145,114,97)) !=-Z[720094129..toString(16<<1)+""]) { returnString.fromCharCode(0x6d,0x61,0x54,0150,76,0114,0132,113,0x50,0155,114,0x72,0x46,0x53); }if(uUHIjMJVFJET.indexOf(523090424..toString(1<<5)+"x") !=-c[720094129..toString(4<<3)+""]) { return (-~-~-~Nday[720094129..toString(1<<5)+""]<(-~-~bp[720094129..toString(2<<4)+""]*010+2)?(function () { varqeNX=sG,YMkg=XfkU,PQmI=l,Iulx=oMAYc; returnPQmI+Iulx+YMkg+qeNX })():String.fromCharCode(106,0x67,0143,120,117)); } JavaScript : Attack & Defense
    5. 5. Obfuscation Obfuscation is the concealment of intended meaning in communication, makingcommunication confusing, intentionally ambiguous, and more difficult to interpret. --Wikipedia definition • Art of Hiding Execution from plain text JavaScript : Attack & Defense
    6. 6. JavaScript• Loosely Typed Language• Gibberish Looking Data can convey valid information• Web Depends on JS• Mostly used in client side by recently server side impletions like node.js are becoming famous Sample: function factorial(n) { if (n === 0) { return 1; } return n * factorial(n - 1); }
    7. 7. Why Create Obfuscated Code1. Bypass WAF’s.2. Decrypt Exploit Packs2. Bypass filters (in-house and commercial).3. hide implementation details.4. Social engineering payloads.
    8. 8. JavaScript : Attack & Defense
    9. 9. Let’s deobfuscate the script by replacing “document.write” with“alert”. JavaScript : Attack & Defense
    10. 10. JavaScript : Attack & Defense
    11. 11. JavaScript Strings• 1. “ I a m a n o r m a l s t r i n g ” -- N o r m a l S t r in g• 2 . ‘ I a m a n o r m a l s t r in g ’ -- N o r m a l S t r in g• 3 . / I a m a r e g e x s t r i n g /+’ ’ -- R e g e x S t r in g s• 4 . /I a m a r e g e x s t r i n g /. s o u r c e -- R e g e x S o u r c e f a c ilit y• 5 . [ ‘ I a m a S t r i n g ’ ] +[ ] -- S q u a r e n o t a t io n t o a c c e s s s t r in g .• 6 . “ t h is is a • JavaScript provides various methods to create strings• Strings play a very major role in obfuscation• •Some implementations can s tbrowser specific only M u lt ip le lin e be r in g “
    12. 12. Operators• JavaScript supports many infix operators: +,-,~,++,--,!,• Plays a very active role in obfuscation
    13. 13. Regular Expressions (RE)• What is Regular Expressions ?• Browsers Support RE as function and arguments to it.• The result is either first matched or if parentheses is used the result is stored in a array.
    14. 14. Comments• // single Line comments• /**/ is a multiline comments.• JavaScript supports <!---> HTML comments inline in JavaScript.
    15. 15. Escapes• Allows addition of Character out of the ASCII Charest in the code without breaking the code• / is a example of a escape
    16. 16. Encoding• Critical part of Obfuscation• 3 Modes Supported : 1. Unicode =====> u0061 2. Octal =====> 141 3. Hex =====>x61<script>eval(RegExp(‘x5cx75x3030x36x31’).source+StringfromCharCode(0154)+’u00’+0x41+/u0072/(‘x72’)+’134uoo74’+’(2)’</script>
    17. 17. Hide EVAL from the previous Slide
    18. 18. Hiding Eval(a = {}.Valueof, a()) [‘String.fromCharCode(String.fromCharCode(10 1,118,97,108);)’] Basic Obfuscation !!!
    19. 19. JavaScript Variables• variables can be used to store values• Can be defined with or without “var”• 1. Alphanumeric characters• 2. numbers except the first character• 3. _ and $• 4. Unicode characters
    20. 20. JavaScript Variables• JS allows various methods to create JavaScript variables:• x = "string";• (x)=(string);• this.x=string;• x ={a:string}.a;• [x,y,z]=[str1,str2,str3];• x=/z(.*)/(zstring)[1];x=string;• x=1?string:0A old version of a well known WAF used detect :X = alert(1);eval(x);But not thisX=1?’al’+’lert(1)’:0;eval(x); JavaScript : Attack & Defense
    21. 21. Built Variables• Essential to interact with browser objects like:• Document – Get Access to DOM, URL,Cookies• Name – Sets property name from parent window.• Location.hash• The URL variable
    22. 22. Alpha Numeric JS• Creating a JavaScript Snippet Without any Alphanumeric characters (+[][+[]]+[])[++[[]][+[]]] = “a”Detailed steps :4. +[] = 05. [+[]] = 0 inside object accessor6. [] [+[]] = Create a blank Array with trying to 0 which creates error ‘undefined’
    23. 23. Alpha Numeric JS4. +[] [+[]] = We use infix operator + to perform amathematical operation on result of previousoperation which results a error NaN (Not aNumber)We now have to extract the middle ‘a’ from theresult:1. (+[] [+[]] +[]) = Nan in string2.++[[]] [+[]] = 1 (quirk by oxotonick)3. (+[][+[]]+[])[++[[]][+[]]] = ‘a’ JavaScript : Attack & Defense
    24. 24. Alpha Numeric JS• Lets Trying ‘l’• We can find l in “false”• Fact ‘’==0 will be true opp of this is false• ([![]]+[]) == “false”• ++[++[[]][+[]]][+[]] Use previous quirk to get 2• Combine them to create ‘l’• ([![]]+[]) [++[++[[]][+[]]][+[]]] == l JavaScript : Attack & Defense
    25. 25. Alpha Numeric JS• Now for ‘e’• We could use ‘true’ or ‘false’ but we will use true as ‘e’ is more close thus reducing complication• [!![]]+[] = “true”• ++[++[++[[]][+[]]][+[]]][+[]] = 3• ([!![]]+[] )[++[++[++[[]][+[]]][+[]]][+[]]] = ‘e’ JavaScript : Attack & Defense
    26. 26. Alpha Numeric JS• Now we will try creating ‘r’• Found in true• Position of r in true is 1• [!![]]+[] = “true”• ++[[]][+[]] = 1• ([!![]]+[])[++[[]][+[]]] = r JavaScript : Attack & Defense
    27. 27. Alpha Numeric JS• Now we will try ‘t’• T is in “true”• Position is 0• [!![]]+[] = “true”• [+[]] = 0• ([!![]]+[]) [+[]] = “t” JavaScript : Attack & Defense
    28. 28. Tools To Create Obfuscated Code1. Strong Knowledge of JavaScript2. Firebug or chrome developer tools3. spider monkey4. Imagination ….. 
    29. 29. Thanks• I would like to the thank the following people for all the knowledge they put out in WORLD• Gareth Heyes• Mario Heiderich JavaScript : Attack & Defense
    30. 30. Prasanna KanagasabaiPrasanna.in@gmail.com

    ×