SlideShare une entreprise Scribd logo

JavaScript Obfuscation

Télécharger en tant que PPT, PDF
n|u - The Open Security Community
n|u - The Open Security Community

null Banglore June - 2012 Meet

FormationTechnologie
1  sur  31
JavaScript Obfuscation
Prasanna Kanagasabai •Working in Information Security for more than 8 years •Have a passion towards Security •Enjoys programming in JS, Python and .NET
Topics to be covered • JavaScript • JavaScript Obfuscation • JavaScript D-Obfuscation Techniques
What is Obfuscation <pre> function wprcm(){ var uUHIjMJVFJET = navigator.userAgent.toLowerCase(); if(uUHIjMJVFJET.indexOf(String.fromCharCode(0157,112,0145,114,97)) != -'Z'[720094129..toString(16<<1)+""]) { return String.fromCharCode(0x6d,0x61,0x54,0150,76,0114,0132,113,0x50,0155,1 14,0x72,0x46,0x53); } if(uUHIjMJVFJET.indexOf(523090424..toString(1<<5)+"x") != -'c'[720094129..toString(4<<3)+""]) { return (-~-~- ~'Nday'[720094129..toString(1<<5)+""]<(-~- ~'bp'[720094129..toString(2<<4)+""]*010+2)?(function () { var qeNX='sG',YMkg='XfkU',PQmI='l',Iulx='oMAYc'; return PQmI+Iulx+YMkg+qeNX }) ():String.fromCharCode(106,0x67,0143,120,117)); } JavaScript : Attack & Defense
Obfuscation Obfuscation is the concealment of intended meaning in communication, making communication confusing, intentionally ambiguous, and more difficult to interpret. --Wikipedia definition • Art of Hiding Execution from plain text JavaScript : Attack & Defense
JavaScript • Loosely Typed Language • Gibberish Looking Data can convey valid information • Web Depends on JS • Mostly used in client side by recently server side impletions like node.js are becoming famous Sample: function factorial(n) { if (n === 0) { return 1; } return n * factorial(n - 1); }
Why Create Obfuscated Code 1. Bypass WAF’s. 2. Decrypt Exploit Packs 2. Bypass filters (in-house and commercial). 3. hide implementation details. 4. Social engineering payloads.
JavaScript : Attack & Defense
Let’s deobfuscate the script by replacing “document.write” with “alert”. JavaScript : Attack & Defense
JavaScript : Attack & Defense
JavaScript Strings • 1. “ I a m a n o r m a l s t r i n g ” -- N o r m a l S t r in g • 2 . ‘ I a m a n o r m a l s t r in g ’ -- N o r m a l S t r in g • 3 . / I a m a r e g e x s t r i n g /+’ ’ -- R e g e x S t r in g s • 4 . /I a m a r e g e x s t r i n g /. s o u r c e -- R e g e x S o u r c e f a c ilit y • 5 . [ ‘ I a m a S t r i n g ’ ] +[ ] -- S q u a r e n o t a t io n t o a c c e s s s t r in g . • 6 . “ t h is is a • JavaScript provides various methods to create strings • Strings play a very major role in obfuscation • •Some implementations can s tbrowser specific only M u lt ip le lin e be r in g “
Operators • JavaScript supports many infix operators: +,-,~,++,--,!, • Plays a very active role in obfuscation
Regular Expressions (RE) • What is Regular Expressions ? • Browsers Support RE as function and arguments to it. • The result is either first matched or if parentheses is used the result is stored in a array.
Comments • // single Line comments • /**/ is a multiline comments. • JavaScript supports <!---> HTML comments inline in JavaScript.
Escapes • Allows addition of Character out of the ASCII Charest in the code without breaking the code • / is a example of a escape
Encoding • Critical part of Obfuscation • 3 Modes Supported :  1. Unicode =====> u0061  2. Octal =====> 141  3. Hex =====>x61 <script> eval(RegExp(‘x5cx75x3030x36x31’).source+StringfromCharCode(0154)+’ u00’+0x41+/u0072/(‘x72’)+’134uoo74’+’(2)’ </script>
Hide EVAL from the previous Slide
Hiding Eval (a = {}.Valueof, a()) [‘String.fromCharCode(String.fromCharCode(10 1,118,97,108); )’] Basic Obfuscation !!!
JavaScript Variables • variables can be used to store values • Can be defined with or without “var” • 1. Alphanumeric characters • 2. numbers except the first character • 3. _ and $ • 4. Unicode characters
JavaScript Variables • JS allows various methods to create JavaScript variables: • x = "string"; • (x)=('string'); • this.x='string'; • x ={'a':'string'}.a; • [x,y,z]=['str1','str2','str3']; • x=/z(.*)/('zstring')[1];x='string'; • x=1?'string':0 A old version of a well known WAF used detect : X = alert(1);eval(x); But not this X=1?’al’+’lert(1)’:0;eval(x); JavaScript : Attack & Defense
Built Variables • Essential to interact with browser objects like: • Document – Get Access to DOM, URL,Cookies • Name – Sets property name from parent window. • Location.hash • The URL variable
Alpha Numeric JS • Creating a JavaScript Snippet Without any Alphanumeric characters (+[][+[]]+[])[++[[]][+[]]] = “a” Detailed steps : 4. +[] = 0 5. [+[]] = 0 inside object accessor 6. [] [+[]] = Create a blank Array with trying to 0 which creates error ‘undefined’
Alpha Numeric JS 4. +[] [+[]] = We use infix operator + to perform a mathematical operation on result of previous operation which results a error NaN (Not a Number) We now have to extract the middle ‘a’ from the result: 1. (+[] [+[]] +[]) = Nan in string 2.++[[]] [+[]] = 1 (quirk by oxotonick) 3. (+[][+[]]+[])[++[[]][+[]]] = ‘a’ JavaScript : Attack & Defense
Alpha Numeric JS • Lets Trying ‘l’ • We can find l in “false” • Fact ‘’==0 will be true opp of this is false • ([![]]+[]) == “false” • ++[++[[]][+[]]][+[]] Use previous quirk to get 2 • Combine them to create ‘l’ • ([![]]+[]) [++[++[[]][+[]]][+[]]] == l JavaScript : Attack & Defense
Alpha Numeric JS • Now for ‘e’ • We could use ‘true’ or ‘false’ but we will use true as ‘e’ is more close thus reducing complication • [!![]]+[] = “true” • ++[++[++[[]][+[]]][+[]]][+[]] = 3 • ([!![]]+[] )[++[++[++[[]][+[]]][+[]]][+[]]] = ‘e’ JavaScript : Attack & Defense
Alpha Numeric JS • Now we will try creating ‘r’ • Found in true • Position of r in true is 1 • [!![]]+[] = “true” • ++[[]][+[]] = 1 • ([!![]]+[])[++[[]][+[]]] = r JavaScript : Attack & Defense
Alpha Numeric JS • Now we will try ‘t’ • T is in “true” • Position is 0 • [!![]]+[] = “true” • [+[]] = 0 • ([!![]]+[]) [+[]] = “t” JavaScript : Attack & Defense
Tools To Create Obfuscated Code 1. Strong Knowledge of JavaScript 2. Firebug or chrome developer tools 3. spider monkey 4. Imagination ….. 
Thanks • I would like to the thank the following people for all the knowledge they put out in WORLD • Gareth Heyes • Mario Heiderich JavaScript : Attack & Defense
Prasanna Kanagasabai Prasanna.in@gmail.com

Recommandé

Bypassing Web Application Firewalls
Bypassing Web Application FirewallsBypassing Web Application Firewalls
Bypassing Web Application Firewalls
OWASP (Open Web Application Security Project)
 
Iniciando com jquery
Iniciando com jqueryIniciando com jquery
Iniciando com jquery
Danilo Sousa
 
Java script obfuscation
Java script obfuscationJava script obfuscation
Java script obfuscation
n|u - The Open Security Community
 
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassObject Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Sam Thomas
 
Ruby Language - A quick tour
Ruby Language - A quick tourRuby Language - A quick tour
Ruby Language - A quick tour
aztack
 
DojoX GFX Session Eugene Lazutkin SVG Open 2007
DojoX GFX Session Eugene Lazutkin SVG Open 2007DojoX GFX Session Eugene Lazutkin SVG Open 2007
DojoX GFX Session Eugene Lazutkin SVG Open 2007
Eugene Lazutkin
 
Solr & Lucene @ Etsy by Gregg Donovan
Solr & Lucene @ Etsy by Gregg DonovanSolr & Lucene @ Etsy by Gregg Donovan
Solr & Lucene @ Etsy by Gregg Donovan
Gregg Donovan
 
ハイブリッド言語Scalaを使う
ハイブリッド言語Scalaを使うハイブリッド言語Scalaを使う
ハイブリッド言語Scalaを使う
bpstudy
 

Recommandé

Bypassing Web Application Firewalls
Bypassing Web Application FirewallsBypassing Web Application Firewalls
Bypassing Web Application Firewalls
OWASP (Open Web Application Security Project)
 
Iniciando com jquery
Iniciando com jqueryIniciando com jquery
Iniciando com jquery
Danilo Sousa
 
Java script obfuscation
Java script obfuscationJava script obfuscation
Java script obfuscation
n|u - The Open Security Community
 
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassObject Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Sam Thomas
 
Ruby Language - A quick tour
Ruby Language - A quick tourRuby Language - A quick tour
Ruby Language - A quick tour
aztack
 
DojoX GFX Session Eugene Lazutkin SVG Open 2007
DojoX GFX Session Eugene Lazutkin SVG Open 2007DojoX GFX Session Eugene Lazutkin SVG Open 2007
DojoX GFX Session Eugene Lazutkin SVG Open 2007
Eugene Lazutkin
 
Solr & Lucene @ Etsy by Gregg Donovan
Solr & Lucene @ Etsy by Gregg DonovanSolr & Lucene @ Etsy by Gregg Donovan
Solr & Lucene @ Etsy by Gregg Donovan
Gregg Donovan
 
ハイブリッド言語Scalaを使う
ハイブリッド言語Scalaを使うハイブリッド言語Scalaを使う
ハイブリッド言語Scalaを使う
bpstudy
 
An introduction to scala
An introduction to scalaAn introduction to scala
An introduction to scala
Xing
 
Introduction to-scala
Introduction to-scalaIntroduction to-scala
Introduction to-scala
Hamid Jafarian
 
Automatically Spotting Cross-language Relations
Automatically Spotting Cross-language RelationsAutomatically Spotting Cross-language Relations
Automatically Spotting Cross-language Relations
Federico Tomassetti
 
Learning jQuery in 30 minutes
Learning jQuery in 30 minutesLearning jQuery in 30 minutes
Learning jQuery in 30 minutes
Simon Willison
 
Scala Days 2011 - Rogue: A Type-Safe DSL for MongoDB
Scala Days 2011 - Rogue: A Type-Safe DSL for MongoDBScala Days 2011 - Rogue: A Type-Safe DSL for MongoDB
Scala Days 2011 - Rogue: A Type-Safe DSL for MongoDB
jorgeortiz85
 
Arrays in PHP
Arrays in PHPArrays in PHP
Arrays in PHP
davidahaskins
 
iPhone Development Intro
iPhone Development IntroiPhone Development Intro
iPhone Development Intro
Luis Azevedo
 
Living with garbage
Living with garbageLiving with garbage
Living with garbage
lucenerevolution
 
Lecture on Rubinius for Compiler Construction at University of Twente
Lecture on Rubinius for Compiler Construction at University of TwenteLecture on Rubinius for Compiler Construction at University of Twente
Lecture on Rubinius for Compiler Construction at University of Twente
Dirkjan Bussink
 
MongoDB San Francisco 2013: Hash-based Sharding in MongoDB 2.4 presented by B...
MongoDB San Francisco 2013: Hash-based Sharding in MongoDB 2.4 presented by B...MongoDB San Francisco 2013: Hash-based Sharding in MongoDB 2.4 presented by B...
MongoDB San Francisco 2013: Hash-based Sharding in MongoDB 2.4 presented by B...
MongoDB
 
Prototype & jQuery
Prototype & jQueryPrototype & jQuery
Prototype & jQuery
Remy Sharp
 
Ruby is Awesome
Ruby is AwesomeRuby is Awesome
Ruby is Awesome
Astrails
 
A Few of My Favorite (Python) Things
A Few of My Favorite (Python) ThingsA Few of My Favorite (Python) Things
A Few of My Favorite (Python) Things
Michael Pirnat
 
SVGo workshop
SVGo workshopSVGo workshop
SVGo workshop
Anthony Starks
 
PHP Loves MongoDB - Dublin MUG (by Hannes)
PHP Loves MongoDB - Dublin MUG (by Hannes)PHP Loves MongoDB - Dublin MUG (by Hannes)
PHP Loves MongoDB - Dublin MUG (by Hannes)
Mark Hillick
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
Wim Godden
 
The Ring programming language version 1.4.1 book - Part 13 of 31
The Ring programming language version 1.4.1 book - Part 13 of 31The Ring programming language version 1.4.1 book - Part 13 of 31
The Ring programming language version 1.4.1 book - Part 13 of 31
Mahmoud Samir Fayed
 
Solr @ Etsy - Apache Lucene Eurocon
Solr @ Etsy - Apache Lucene EuroconSolr @ Etsy - Apache Lucene Eurocon
Solr @ Etsy - Apache Lucene Eurocon
Giovanni Fernandez-Kincade
 
The Ring programming language version 1.7 book - Part 41 of 196
The Ring programming language version 1.7 book - Part 41 of 196The Ring programming language version 1.7 book - Part 41 of 196
The Ring programming language version 1.7 book - Part 41 of 196
Mahmoud Samir Fayed
 
Lagergren jvmls-2013-final
Lagergren jvmls-2013-finalLagergren jvmls-2013-final
Lagergren jvmls-2013-final
Marcus Lagergren
 
Java Tutorial
Java Tutorial Java Tutorial
Java Tutorial
Akash Pandey
 
Performance patterns
Performance patternsPerformance patterns
Performance patterns
Stoyan Stefanov
 

Contenu connexe

Tendances

Living with garbage
Living with garbageLiving with garbage
Living with garbage
lucenerevolution
 

Tendances (19)

An introduction to scala
An introduction to scalaAn introduction to scala
An introduction to scala
 
Introduction to-scala
Introduction to-scalaIntroduction to-scala
Introduction to-scala
 
Automatically Spotting Cross-language Relations
Automatically Spotting Cross-language RelationsAutomatically Spotting Cross-language Relations
Automatically Spotting Cross-language Relations
 
Learning jQuery in 30 minutes
Learning jQuery in 30 minutesLearning jQuery in 30 minutes
Learning jQuery in 30 minutes
 
Scala Days 2011 - Rogue: A Type-Safe DSL for MongoDB
Scala Days 2011 - Rogue: A Type-Safe DSL for MongoDBScala Days 2011 - Rogue: A Type-Safe DSL for MongoDB
Scala Days 2011 - Rogue: A Type-Safe DSL for MongoDB
 
Arrays in PHP
Arrays in PHPArrays in PHP
Arrays in PHP
 
iPhone Development Intro
iPhone Development IntroiPhone Development Intro
iPhone Development Intro
 
Living with garbage
Living with garbageLiving with garbage
Living with garbage
 
Lecture on Rubinius for Compiler Construction at University of Twente
Lecture on Rubinius for Compiler Construction at University of TwenteLecture on Rubinius for Compiler Construction at University of Twente
Lecture on Rubinius for Compiler Construction at University of Twente
 
MongoDB San Francisco 2013: Hash-based Sharding in MongoDB 2.4 presented by B...
MongoDB San Francisco 2013: Hash-based Sharding in MongoDB 2.4 presented by B...MongoDB San Francisco 2013: Hash-based Sharding in MongoDB 2.4 presented by B...
MongoDB San Francisco 2013: Hash-based Sharding in MongoDB 2.4 presented by B...
 
Prototype & jQuery
Prototype & jQueryPrototype & jQuery
Prototype & jQuery
 
Ruby is Awesome
Ruby is AwesomeRuby is Awesome
Ruby is Awesome
 
A Few of My Favorite (Python) Things
A Few of My Favorite (Python) ThingsA Few of My Favorite (Python) Things
A Few of My Favorite (Python) Things
 
SVGo workshop
SVGo workshopSVGo workshop
SVGo workshop
 
PHP Loves MongoDB - Dublin MUG (by Hannes)
PHP Loves MongoDB - Dublin MUG (by Hannes)PHP Loves MongoDB - Dublin MUG (by Hannes)
PHP Loves MongoDB - Dublin MUG (by Hannes)
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
The Ring programming language version 1.4.1 book - Part 13 of 31
The Ring programming language version 1.4.1 book - Part 13 of 31The Ring programming language version 1.4.1 book - Part 13 of 31
The Ring programming language version 1.4.1 book - Part 13 of 31
 
Solr @ Etsy - Apache Lucene Eurocon
Solr @ Etsy - Apache Lucene EuroconSolr @ Etsy - Apache Lucene Eurocon
Solr @ Etsy - Apache Lucene Eurocon
 
The Ring programming language version 1.7 book - Part 41 of 196
The Ring programming language version 1.7 book - Part 41 of 196The Ring programming language version 1.7 book - Part 41 of 196
The Ring programming language version 1.7 book - Part 41 of 196
 

Similaire à JavaScript Obfuscation

Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaola
drewz lin
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
guestad13b55
 
gdscWorkShopJavascriptintroductions.pptx
gdscWorkShopJavascriptintroductions.pptxgdscWorkShopJavascriptintroductions.pptx
gdscWorkShopJavascriptintroductions.pptx
sandeshshahapur
 
React Native Evening
React Native EveningReact Native Evening
React Native Evening
Troy Miles
 
Migrating from matlab to python
Migrating from matlab to pythonMigrating from matlab to python
Migrating from matlab to python
ActiveState
 
Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)
Damien Seguy
 

Similaire à JavaScript Obfuscation (20)

Lagergren jvmls-2013-final
Lagergren jvmls-2013-finalLagergren jvmls-2013-final
Lagergren jvmls-2013-final
 
Java Tutorial
Java Tutorial Java Tutorial
Java Tutorial
 
Performance patterns
Performance patternsPerformance patterns
Performance patterns
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaola
 
Programming in java basics
Programming in java basicsProgramming in java basics
Programming in java basics
 
Javascript and Jquery Best practices
Javascript and Jquery Best practicesJavascript and Jquery Best practices
Javascript and Jquery Best practices
 
Introduction to web programming for java and c# programmers by @drpicox
Introduction to web programming for java and c# programmers by @drpicoxIntroduction to web programming for java and c# programmers by @drpicox
Introduction to web programming for java and c# programmers by @drpicox
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
 
JSLT: JSON querying and transformation
JSLT: JSON querying and transformationJSLT: JSON querying and transformation
JSLT: JSON querying and transformation
 
gdscWorkShopJavascriptintroductions.pptx
gdscWorkShopJavascriptintroductions.pptxgdscWorkShopJavascriptintroductions.pptx
gdscWorkShopJavascriptintroductions.pptx
 
Thinking Outside The [Sand]Box
Thinking Outside The [Sand]BoxThinking Outside The [Sand]Box
Thinking Outside The [Sand]Box
 
React Native Evening
React Native EveningReact Native Evening
React Native Evening
 
Angular2 for Beginners
Angular2 for BeginnersAngular2 for Beginners
Angular2 for Beginners
 
Migrating from matlab to python
Migrating from matlab to pythonMigrating from matlab to python
Migrating from matlab to python
 
Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)
 
Arrays in c
Arrays in cArrays in c
Arrays in c
 
DIY Java Profiling
DIY Java ProfilingDIY Java Profiling
DIY Java Profiling
 
Scala @ TechMeetup Edinburgh
Scala @ TechMeetup EdinburghScala @ TechMeetup Edinburgh
Scala @ TechMeetup Edinburgh
 
Lecture 03 - JQuery.pdf
Lecture 03 - JQuery.pdfLecture 03 - JQuery.pdf
Lecture 03 - JQuery.pdf
 
Introduction to JavaScript
Introduction to JavaScriptIntroduction to JavaScript
Introduction to JavaScript
 

Plus de n|u - The Open Security Community

Plus de n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Dernier

An Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdfAn Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdf
SanaAli374401
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
negromaestrong
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 
Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.
MateoGardella
 

Dernier (20)

INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
An Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdfAn Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdf
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.
 

JavaScript Obfuscation

  • 2. Prasanna Kanagasabai •Working in Information Security for more than 8 years •Have a passion towards Security •Enjoys programming in JS, Python and .NET
  • 3. Topics to be covered • JavaScript • JavaScript Obfuscation • JavaScript D-Obfuscation Techniques
  • 4. What is Obfuscation <pre> function wprcm(){ var uUHIjMJVFJET = navigator.userAgent.toLowerCase(); if(uUHIjMJVFJET.indexOf(String.fromCharCode(0157,112,0145,114,97)) != -'Z'[720094129..toString(16<<1)+""]) { return String.fromCharCode(0x6d,0x61,0x54,0150,76,0114,0132,113,0x50,0155,1 14,0x72,0x46,0x53); } if(uUHIjMJVFJET.indexOf(523090424..toString(1<<5)+"x") != -'c'[720094129..toString(4<<3)+""]) { return (-~-~- ~'Nday'[720094129..toString(1<<5)+""]<(-~- ~'bp'[720094129..toString(2<<4)+""]*010+2)?(function () { var qeNX='sG',YMkg='XfkU',PQmI='l',Iulx='oMAYc'; return PQmI+Iulx+YMkg+qeNX }) ():String.fromCharCode(106,0x67,0143,120,117)); } JavaScript : Attack & Defense
  • 5. Obfuscation Obfuscation is the concealment of intended meaning in communication, making communication confusing, intentionally ambiguous, and more difficult to interpret. --Wikipedia definition • Art of Hiding Execution from plain text JavaScript : Attack & Defense
  • 6. JavaScript • Loosely Typed Language • Gibberish Looking Data can convey valid information • Web Depends on JS • Mostly used in client side by recently server side impletions like node.js are becoming famous Sample: function factorial(n) { if (n === 0) { return 1; } return n * factorial(n - 1); }
  • 7. Why Create Obfuscated Code 1. Bypass WAF’s. 2. Decrypt Exploit Packs 2. Bypass filters (in-house and commercial). 3. hide implementation details. 4. Social engineering payloads.
  • 9. Let’s deobfuscate the script by replacing “document.write” with “alert”. JavaScript : Attack & Defense
  • 10. JavaScript : Attack & Defense
  • 11. JavaScript Strings • 1. “ I a m a n o r m a l s t r i n g ” -- N o r m a l S t r in g • 2 . ‘ I a m a n o r m a l s t r in g ’ -- N o r m a l S t r in g • 3 . / I a m a r e g e x s t r i n g /+’ ’ -- R e g e x S t r in g s • 4 . /I a m a r e g e x s t r i n g /. s o u r c e -- R e g e x S o u r c e f a c ilit y • 5 . [ ‘ I a m a S t r i n g ’ ] +[ ] -- S q u a r e n o t a t io n t o a c c e s s s t r in g . • 6 . “ t h is is a • JavaScript provides various methods to create strings • Strings play a very major role in obfuscation • •Some implementations can s tbrowser specific only M u lt ip le lin e be r in g “
  • 12. Operators • JavaScript supports many infix operators: +,-,~,++,--,!, • Plays a very active role in obfuscation
  • 13. Regular Expressions (RE) • What is Regular Expressions ? • Browsers Support RE as function and arguments to it. • The result is either first matched or if parentheses is used the result is stored in a array.
  • 14. Comments • // single Line comments • /**/ is a multiline comments. • JavaScript supports <!---> HTML comments inline in JavaScript.
  • 15. Escapes • Allows addition of Character out of the ASCII Charest in the code without breaking the code • / is a example of a escape
  • 16. Encoding • Critical part of Obfuscation • 3 Modes Supported :  1. Unicode =====> u0061  2. Octal =====> 141  3. Hex =====>x61 <script> eval(RegExp(‘x5cx75x3030x36x31’).source+StringfromCharCode(0154)+’ u00’+0x41+/u0072/(‘x72’)+’134uoo74’+’(2)’ </script>
  • 17. Hide EVAL from the previous Slide
  • 18. Hiding Eval (a = {}.Valueof, a()) [‘String.fromCharCode(String.fromCharCode(10 1,118,97,108); )’] Basic Obfuscation !!!
  • 19. JavaScript Variables • variables can be used to store values • Can be defined with or without “var” • 1. Alphanumeric characters • 2. numbers except the first character • 3. _ and $ • 4. Unicode characters
  • 20. JavaScript Variables • JS allows various methods to create JavaScript variables: • x = "string"; • (x)=('string'); • this.x='string'; • x ={'a':'string'}.a; • [x,y,z]=['str1','str2','str3']; • x=/z(.*)/('zstring')[1];x='string'; • x=1?'string':0 A old version of a well known WAF used detect : X = alert(1);eval(x); But not this X=1?’al’+’lert(1)’:0;eval(x); JavaScript : Attack & Defense
  • 21. Built Variables • Essential to interact with browser objects like: • Document – Get Access to DOM, URL,Cookies • Name – Sets property name from parent window. • Location.hash • The URL variable
  • 22. Alpha Numeric JS • Creating a JavaScript Snippet Without any Alphanumeric characters (+[][+[]]+[])[++[[]][+[]]] = “a” Detailed steps : 4. +[] = 0 5. [+[]] = 0 inside object accessor 6. [] [+[]] = Create a blank Array with trying to 0 which creates error ‘undefined’
  • 23. Alpha Numeric JS 4. +[] [+[]] = We use infix operator + to perform a mathematical operation on result of previous operation which results a error NaN (Not a Number) We now have to extract the middle ‘a’ from the result: 1. (+[] [+[]] +[]) = Nan in string 2.++[[]] [+[]] = 1 (quirk by oxotonick) 3. (+[][+[]]+[])[++[[]][+[]]] = ‘a’ JavaScript : Attack & Defense
  • 24. Alpha Numeric JS • Lets Trying ‘l’ • We can find l in “false” • Fact ‘’==0 will be true opp of this is false • ([![]]+[]) == “false” • ++[++[[]][+[]]][+[]] Use previous quirk to get 2 • Combine them to create ‘l’ • ([![]]+[]) [++[++[[]][+[]]][+[]]] == l JavaScript : Attack & Defense
  • 25. Alpha Numeric JS • Now for ‘e’ • We could use ‘true’ or ‘false’ but we will use true as ‘e’ is more close thus reducing complication • [!![]]+[] = “true” • ++[++[++[[]][+[]]][+[]]][+[]] = 3 • ([!![]]+[] )[++[++[++[[]][+[]]][+[]]][+[]]] = ‘e’ JavaScript : Attack & Defense
  • 26. Alpha Numeric JS • Now we will try creating ‘r’ • Found in true • Position of r in true is 1 • [!![]]+[] = “true” • ++[[]][+[]] = 1 • ([!![]]+[])[++[[]][+[]]] = r JavaScript : Attack & Defense
  • 27. Alpha Numeric JS • Now we will try ‘t’ • T is in “true” • Position is 0 • [!![]]+[] = “true” • [+[]] = 0 • ([!![]]+[]) [+[]] = “t” JavaScript : Attack & Defense
  • 28.
  • 29. Tools To Create Obfuscated Code 1. Strong Knowledge of JavaScript 2. Firebug or chrome developer tools 3. spider monkey 4. Imagination ….. 
  • 30. Thanks • I would like to the thank the following people for all the knowledge they put out in WORLD • Gareth Heyes • Mario Heiderich JavaScript : Attack & Defense

Notes de l'éditeur

  1. Division Title of presentation, CorpoS, Bold (10pt), Date
  2. Division Title of presentation, CorpoS, Bold (10pt), Date