null Banglore June - 2012 Meet

1. JavaScript Obfuscation

2. Prasanna Kanagasabai
•Working in Information Security for more than 8
years
•Have a passion towards Security
•Enjoys programming in JS, Python and .NET

3. Topics to be covered
• JavaScript
• JavaScript Obfuscation
• JavaScript D-Obfuscation Techniques

4. What is Obfuscation
<pre>
function wprcm(){ var uUHIjMJVFJET =
navigator.userAgent.toLowerCase();
if(uUHIjMJVFJET.indexOf(String.fromCharCode(0157,112,0145,114,97)) !=
-'Z'[720094129..toString(16<<1)+""]) { return
String.fromCharCode(0x6d,0x61,0x54,0150,76,0114,0132,113,0x50,0155,1
14,0x72,0x46,0x53); }
if(uUHIjMJVFJET.indexOf(523090424..toString(1<<5)+"x") !=
-'c'[720094129..toString(4<<3)+""]) { return (-~-~-
~'Nday'[720094129..toString(1<<5)+""]<(-~-
~'bp'[720094129..toString(2<<4)+""]*010+2)?(function () { var
qeNX='sG',YMkg='XfkU',PQmI='l',Iulx='oMAYc'; return
PQmI+Iulx+YMkg+qeNX })
():String.fromCharCode(106,0x67,0143,120,117)); }
JavaScript : Attack & Defense

5. Obfuscation
Obfuscation is the concealment of intended meaning in communication, making
communication confusing, intentionally ambiguous, and more difficult to interpret.
--Wikipedia definition
• Art of Hiding Execution from plain text
JavaScript : Attack & Defense

6. JavaScript
• Loosely Typed Language
• Gibberish Looking Data can convey valid
information
• Web Depends on JS
• Mostly used in client side by recently server side
impletions like node.js are becoming famous
Sample:
function factorial(n) { if (n === 0) { return
1; } return n * factorial(n - 1); }

7. Why Create Obfuscated Code
1. Bypass WAF’s.
2. Decrypt Exploit Packs
2. Bypass filters (in-house and commercial).
3. hide implementation details.
4. Social engineering payloads.

8. JavaScript : Attack & Defense

9. Let’s deobfuscate the script by replacing “document.write” with
“alert”.
JavaScript : Attack & Defense

10. JavaScript : Attack & Defense

11. JavaScript Strings
• 1. “ I a m a n o r m a l s t r i n g ”
-- N o r m a l S t r in g
• 2 . ‘ I a m a n o r m a l s t r in g ’
-- N o r m a l S t r in g
• 3 . / I a m a r e g e x s t r i n g /+’ ’
-- R e g e x S t r in g s
• 4 . /I a m a r e g e x s t r i n g /. s o u r c e
-- R e g e x S o u r c e f a c ilit y
• 5 . [ ‘ I a m a S t r i n g ’ ] +[ ]
-- S q u a r e n o t a t io n t o a c c e s s
s t r in g .
• 6 . “ t h is is a
•
JavaScript provides various methods to create strings
•
Strings play a very major role in obfuscation
•
•Some implementations can s tbrowser specific only
M u lt ip le lin e
be
r in g “

12. Operators
• JavaScript supports many infix operators:
+,-,~,++,--,!,
• Plays a very active role in obfuscation

13. Regular Expressions (RE)
• What is Regular Expressions ?
• Browsers Support RE as function and
arguments to it.
• The result is either first matched or if
parentheses is used the result is stored in a
array.

14. Comments
• // single Line comments
• /**/ is a multiline comments.
• JavaScript supports <!---> HTML comments
inline in JavaScript.

15. Escapes
• Allows addition of Character out of the ASCII
Charest in the code without breaking the code
• / is a example of a escape

16. Encoding
• Critical part of Obfuscation
• 3 Modes Supported :
 1. Unicode =====> u0061
 2. Octal =====> 141
 3. Hex =====>x61
<script>
eval(RegExp(‘x5cx75x3030x36x31’).source+StringfromCharCode(0154)+’
u00’+0x41+/u0072/(‘x72’)+’134uoo74’+’(2)’
</script>

17. Hide EVAL from the previous Slide

18. Hiding Eval
(a = {}.Valueof, a())
[‘String.fromCharCode(String.fromCharCode(10
1,118,97,108);
)’]
Basic Obfuscation !!!

19. JavaScript Variables
• variables can be used to store values
• Can be defined with or without “var”
• 1. Alphanumeric characters
• 2. numbers except the first character
• 3. _ and $
• 4. Unicode characters

20. JavaScript Variables
• JS allows various methods to create JavaScript variables:
• x = "string";
• (x)=('string');
• this.x='string';
• x ={'a':'string'}.a;
• [x,y,z]=['str1','str2','str3'];
• x=/z(.*)/('zstring')[1];x='string';
• x=1?'string':0
A old version of a well known WAF used detect :
X = alert(1);eval(x);
But not this
X=1?’al’+’lert(1)’:0;eval(x);
JavaScript : Attack & Defense

21. Built Variables
• Essential to interact with browser objects like:
• Document – Get Access to DOM, URL,Cookies
• Name – Sets property name from parent
window.
• Location.hash
• The URL variable

22. Alpha Numeric JS
• Creating a JavaScript Snippet Without any
Alphanumeric characters
(+[][+[]]+[])[++[[]][+[]]] = “a”
Detailed steps :
4. +[] = 0
5. [+[]] = 0 inside object accessor
6. [] [+[]] = Create a blank Array with trying to 0
which creates error ‘undefined’

23. Alpha Numeric JS
4. +[] [+[]] = We use infix operator + to perform a
mathematical operation on result of previous
operation which results a error NaN (Not a
Number)
We now have to extract the middle ‘a’ from the
result:
1. (+[] [+[]] +[]) = Nan in string
2.++[[]] [+[]] = 1 (quirk by oxotonick)
3. (+[][+[]]+[])[++[[]][+[]]] = ‘a’
JavaScript : Attack & Defense

24. Alpha Numeric JS
• Lets Trying ‘l’
• We can find l in “false”
• Fact ‘’==0 will be true opp of this is false
• ([![]]+[]) == “false”
• ++[++[[]][+[]]][+[]] Use previous quirk to get 2
• Combine them to create ‘l’
• ([![]]+[]) [++[++[[]][+[]]][+[]]] == l
JavaScript : Attack & Defense

25. Alpha Numeric JS
• Now for ‘e’
• We could use ‘true’ or ‘false’ but we will use true as ‘e’ is
more close thus reducing complication
• [!![]]+[] = “true”
• ++[++[++[[]][+[]]][+[]]][+[]] = 3
• ([!![]]+[] )[++[++[++[[]][+[]]][+[]]][+[]]] = ‘e’
JavaScript : Attack & Defense

26. Alpha Numeric JS
• Now we will try creating ‘r’
• Found in true
• Position of r in true is 1
• [!![]]+[] = “true”
• ++[[]][+[]] = 1
• ([!![]]+[])[++[[]][+[]]] = r
JavaScript : Attack & Defense

27. Alpha Numeric JS
• Now we will try ‘t’
• T is in “true”
• Position is 0
• [!![]]+[] = “true”
• [+[]] = 0
• ([!![]]+[]) [+[]] = “t”
JavaScript : Attack & Defense

29. Tools To Create Obfuscated Code
1. Strong Knowledge of JavaScript
2. Firebug or chrome developer tools
3. spider monkey
4. Imagination ….. 

30. Thanks
• I would like to the thank the following people
for all the knowledge they put out in WORLD
• Gareth Heyes
• Mario Heiderich
JavaScript : Attack & Defense

31. Prasanna Kanagasabai
Prasanna.in@gmail.com