JavaScript Obfuscation
Prasanna Kanagasabai•Working in Information Security for more than 8years•Have a passion towards Security•Enjoys programmi...
Topics to be covered• JavaScript• JavaScript Obfuscation• JavaScript D-Obfuscation Techniques
What is Obfuscation<pre>function wprcm(){ var uUHIjMJVFJET =navigator.userAgent.toLowerCase();if(uUHIjMJVFJET.indexOf(Stri...
Obfuscation Obfuscation is the concealment of intended meaning in communication, makingcommunication confusing, intentiona...
JavaScript• Loosely Typed Language• Gibberish Looking Data can convey valid  information• Web Depends on JS• Mostly used i...
Why Create Obfuscated Code1. Bypass WAF’s.2. Decrypt Exploit Packs2. Bypass filters (in-house and commercial).3. hide impl...
JavaScript : Attack & Defense
Let’s deobfuscate the script by replacing “document.write” with“alert”.                          JavaScript : Attack & Def...
JavaScript : Attack & Defense
JavaScript Strings• 1. “ I a m a n o r m a l s t r i n g ”   -- N o r m a l S t r in g• 2 . ‘ I a m a n o r m a l s t r in...
Operators• JavaScript supports many infix operators:     +,-,~,++,--,!,• Plays a very active role in obfuscation
Regular Expressions (RE)• What is Regular Expressions ?• Browsers Support RE as function and  arguments to it.• The result...
Comments• // single Line comments• /**/ is a multiline comments.• JavaScript supports <!---> HTML comments  inline in Java...
Escapes• Allows addition of Character out of the ASCII  Charest in the code without breaking the code• / is a example of a...
Encoding• Critical part of Obfuscation• 3 Modes Supported :   1. Unicode =====> u0061   2. Octal =====> 141   3. Hex ==...
Hide EVAL from the previous Slide
Hiding Eval(a = {}.Valueof, a())    [‘String.fromCharCode(String.fromCharCode(10    1,118,97,108);)’]                     ...
JavaScript Variables•   variables can be used to store values•   Can be defined with or without “var”•   1. Alphanumeric c...
JavaScript Variables•   JS allows various methods to create JavaScript variables:•   x = "string";•   (x)=(string);•   thi...
Built Variables• Essential to interact with browser objects like:• Document – Get Access to DOM, URL,Cookies• Name – Sets ...
Alpha Numeric JS• Creating a JavaScript Snippet Without any   Alphanumeric characters         (+[][+[]]+[])[++[[]][+[]]] =...
Alpha Numeric JS4. +[] [+[]] = We use infix operator + to perform amathematical operation on result of previousoperation w...
Alpha Numeric JS•   Lets Trying ‘l’•   We can find l in “false”•   Fact ‘’==0 will be true opp of this is false•   ([![]]+...
Alpha Numeric JS• Now for ‘e’• We could use ‘true’ or ‘false’ but we will use true as ‘e’ is  more close thus reducing com...
Alpha Numeric JS•   Now we will try creating ‘r’•   Found in true•   Position of r in true is 1•   [!![]]+[] = “true”•   +...
Alpha Numeric JS•   Now we will try ‘t’•   T is in “true”•   Position is 0•   [!![]]+[] = “true”•   [+[]] = 0•   ([!![]]+[...
Tools To Create Obfuscated Code1. Strong Knowledge of JavaScript2. Firebug or chrome developer tools3. spider monkey4. Ima...
Thanks• I would like to the thank the following people  for all the knowledge they put out in WORLD• Gareth Heyes• Mario H...
Prasanna KanagasabaiPrasanna.in@gmail.com
JavaScript Obfuscation
Upcoming SlideShare
Loading in …5
×

JavaScript Obfuscation

6,910 views

Published on

null Banglore June - 2012 Meet

Published in: Education, Technology
  • Be the first to comment

JavaScript Obfuscation

  1. 1. JavaScript Obfuscation
  2. 2. Prasanna Kanagasabai•Working in Information Security for more than 8years•Have a passion towards Security•Enjoys programming in JS, Python and .NET
  3. 3. Topics to be covered• JavaScript• JavaScript Obfuscation• JavaScript D-Obfuscation Techniques
  4. 4. What is Obfuscation<pre>function wprcm(){ var uUHIjMJVFJET =navigator.userAgent.toLowerCase();if(uUHIjMJVFJET.indexOf(String.fromCharCode(0157,112,0145,114,97)) !=-Z[720094129..toString(16<<1)+""]) { returnString.fromCharCode(0x6d,0x61,0x54,0150,76,0114,0132,113,0x50,0155,114,0x72,0x46,0x53); }if(uUHIjMJVFJET.indexOf(523090424..toString(1<<5)+"x") !=-c[720094129..toString(4<<3)+""]) { return (-~-~-~Nday[720094129..toString(1<<5)+""]<(-~-~bp[720094129..toString(2<<4)+""]*010+2)?(function () { varqeNX=sG,YMkg=XfkU,PQmI=l,Iulx=oMAYc; returnPQmI+Iulx+YMkg+qeNX })():String.fromCharCode(106,0x67,0143,120,117)); } JavaScript : Attack & Defense
  5. 5. Obfuscation Obfuscation is the concealment of intended meaning in communication, makingcommunication confusing, intentionally ambiguous, and more difficult to interpret. --Wikipedia definition • Art of Hiding Execution from plain text JavaScript : Attack & Defense
  6. 6. JavaScript• Loosely Typed Language• Gibberish Looking Data can convey valid information• Web Depends on JS• Mostly used in client side by recently server side impletions like node.js are becoming famous Sample: function factorial(n) { if (n === 0) { return 1; } return n * factorial(n - 1); }
  7. 7. Why Create Obfuscated Code1. Bypass WAF’s.2. Decrypt Exploit Packs2. Bypass filters (in-house and commercial).3. hide implementation details.4. Social engineering payloads.
  8. 8. JavaScript : Attack & Defense
  9. 9. Let’s deobfuscate the script by replacing “document.write” with“alert”. JavaScript : Attack & Defense
  10. 10. JavaScript : Attack & Defense
  11. 11. JavaScript Strings• 1. “ I a m a n o r m a l s t r i n g ” -- N o r m a l S t r in g• 2 . ‘ I a m a n o r m a l s t r in g ’ -- N o r m a l S t r in g• 3 . / I a m a r e g e x s t r i n g /+’ ’ -- R e g e x S t r in g s• 4 . /I a m a r e g e x s t r i n g /. s o u r c e -- R e g e x S o u r c e f a c ilit y• 5 . [ ‘ I a m a S t r i n g ’ ] +[ ] -- S q u a r e n o t a t io n t o a c c e s s s t r in g .• 6 . “ t h is is a • JavaScript provides various methods to create strings• Strings play a very major role in obfuscation• •Some implementations can s tbrowser specific only M u lt ip le lin e be r in g “
  12. 12. Operators• JavaScript supports many infix operators: +,-,~,++,--,!,• Plays a very active role in obfuscation
  13. 13. Regular Expressions (RE)• What is Regular Expressions ?• Browsers Support RE as function and arguments to it.• The result is either first matched or if parentheses is used the result is stored in a array.
  14. 14. Comments• // single Line comments• /**/ is a multiline comments.• JavaScript supports <!---> HTML comments inline in JavaScript.
  15. 15. Escapes• Allows addition of Character out of the ASCII Charest in the code without breaking the code• / is a example of a escape
  16. 16. Encoding• Critical part of Obfuscation• 3 Modes Supported : 1. Unicode =====> u0061 2. Octal =====> 141 3. Hex =====>x61<script>eval(RegExp(‘x5cx75x3030x36x31’).source+StringfromCharCode(0154)+’u00’+0x41+/u0072/(‘x72’)+’134uoo74’+’(2)’</script>
  17. 17. Hide EVAL from the previous Slide
  18. 18. Hiding Eval(a = {}.Valueof, a()) [‘String.fromCharCode(String.fromCharCode(10 1,118,97,108);)’] Basic Obfuscation !!!
  19. 19. JavaScript Variables• variables can be used to store values• Can be defined with or without “var”• 1. Alphanumeric characters• 2. numbers except the first character• 3. _ and $• 4. Unicode characters
  20. 20. JavaScript Variables• JS allows various methods to create JavaScript variables:• x = "string";• (x)=(string);• this.x=string;• x ={a:string}.a;• [x,y,z]=[str1,str2,str3];• x=/z(.*)/(zstring)[1];x=string;• x=1?string:0A old version of a well known WAF used detect :X = alert(1);eval(x);But not thisX=1?’al’+’lert(1)’:0;eval(x); JavaScript : Attack & Defense
  21. 21. Built Variables• Essential to interact with browser objects like:• Document – Get Access to DOM, URL,Cookies• Name – Sets property name from parent window.• Location.hash• The URL variable
  22. 22. Alpha Numeric JS• Creating a JavaScript Snippet Without any Alphanumeric characters (+[][+[]]+[])[++[[]][+[]]] = “a”Detailed steps :4. +[] = 05. [+[]] = 0 inside object accessor6. [] [+[]] = Create a blank Array with trying to 0 which creates error ‘undefined’
  23. 23. Alpha Numeric JS4. +[] [+[]] = We use infix operator + to perform amathematical operation on result of previousoperation which results a error NaN (Not aNumber)We now have to extract the middle ‘a’ from theresult:1. (+[] [+[]] +[]) = Nan in string2.++[[]] [+[]] = 1 (quirk by oxotonick)3. (+[][+[]]+[])[++[[]][+[]]] = ‘a’ JavaScript : Attack & Defense
  24. 24. Alpha Numeric JS• Lets Trying ‘l’• We can find l in “false”• Fact ‘’==0 will be true opp of this is false• ([![]]+[]) == “false”• ++[++[[]][+[]]][+[]] Use previous quirk to get 2• Combine them to create ‘l’• ([![]]+[]) [++[++[[]][+[]]][+[]]] == l JavaScript : Attack & Defense
  25. 25. Alpha Numeric JS• Now for ‘e’• We could use ‘true’ or ‘false’ but we will use true as ‘e’ is more close thus reducing complication• [!![]]+[] = “true”• ++[++[++[[]][+[]]][+[]]][+[]] = 3• ([!![]]+[] )[++[++[++[[]][+[]]][+[]]][+[]]] = ‘e’ JavaScript : Attack & Defense
  26. 26. Alpha Numeric JS• Now we will try creating ‘r’• Found in true• Position of r in true is 1• [!![]]+[] = “true”• ++[[]][+[]] = 1• ([!![]]+[])[++[[]][+[]]] = r JavaScript : Attack & Defense
  27. 27. Alpha Numeric JS• Now we will try ‘t’• T is in “true”• Position is 0• [!![]]+[] = “true”• [+[]] = 0• ([!![]]+[]) [+[]] = “t” JavaScript : Attack & Defense
  28. 28. Tools To Create Obfuscated Code1. Strong Knowledge of JavaScript2. Firebug or chrome developer tools3. spider monkey4. Imagination ….. 
  29. 29. Thanks• I would like to the thank the following people for all the knowledge they put out in WORLD• Gareth Heyes• Mario Heiderich JavaScript : Attack & Defense
  30. 30. Prasanna KanagasabaiPrasanna.in@gmail.com

×