Click here to load reader
Upload
prasanna-kanagasabai
View
351
Download
2
Embed Size (px)
Citation preview
JAVASCRIPT INTRODUCTION
• Cement of the internet (personal thought)
• De-facto language for web
• Birth @ Netscape
• Born as “Mocha”
• Object oriented
http://en.wikipedia.org/wiki/JavaScript
AGENDA
• DOM XSS
• CORS
• JSON Hijacking
• POST Message
• JavaScript Obfuscation
(+[] [+[]]+[])[++[[]][+[]]]+([![]]+[]) [++[++[[]][+[]]][+[]]]+([!![]]+[] )[++[++[++[[]][+[]]][+[]]]
[+[]]]+([!![]]+[])[++[[]][+[]]]+([!![]]+[]) [+[]] This is not child drawing it is code
DOM XSS
• Similarity with stored and Reflected XSS is it also results due to DOM
Modification
• The difference is in how it is triggered
• Server might never see the payload
Keywords : Source Filter Sink
Source – Sink Failure
Source – Filter – Sink Perfect
https://www.owasp.org/index.php/DOM_Based_XSS
https://www.owasp.org/index.php/DOM_based_XSS_Prevention
_Cheat_Sheet
CORS – CROSS ORIGIN RESOURCE SHARING
As per the HTTP standards one domain cannot communicate with other.
But in some
cases there might be a need for applications to talk to each other which is
were CORS
comes into play. CORS allows domains to speak to each other
For CORS to work browser asks the server for permission by method of
pre-flight, the
server responds with actions it would support, the client then proceeds
with the
request
Request Header: Origin: http://yourapplication.com
Server Response: Access-Control-Allow-Origin: *
JSON HIJACKING (JSONP)
• Cross Domain JSON sniffing.
• Jsonp (JSON Padding) was created to communicate cross domain.
• The JSON response is encapsulated in a function.
• Malicious site could create a similar function call and get the contents
of the JSON
• The contact stealing attack of Jermiah grossman in gmail is a example
of Json
• Hijacking
• Google uses while(1){XXXX} now in JSON which precedes the JSON.
POST MESSAGE
“ inner = document.getElementById("inner").contentWindow;
inner.postMessage(document.getElementById("val").value, "*"); ”
postMessage allows cross domain communication.
One of the major flaw is fact that the receiver needs to verify if
communication was
for him before using it.
PostMessage expects a target to given but supports a wildcard. Which can
be abused
Input validation issues could lead to XSS
https://developer.mozilla.org/en-
US/docs/Web/API/Window.postMessage
http://www.cs.utexas.edu/~shmat/shmat_ndss13postman.pdf
JAVASCRIPT OBFUSCATION
Art of Hiding data in plain text
Why obfuscation
• Bypass WAF’s, filters
• Decrypt Exploit Packs
• Bypass filters (in-house and commercial)
• hide implementation details
• Social engineering payloads
Creating a JavaScript Snippet Without any Alphanumeric characters
(+[][+[]]+[])[++[[]][+[]]] = “a”
Detailed steps :
1. +[] = 0
2. [+[]] = 0 inside object accessor
3. [] [+[]] = Create a blank Array with trying to 0 which creates error ‘undefined’
ALPHA NUMERIC JS
4. +[] [+[]] = We use infix operator + to perform a mathematical operation on result of previous operation which results a error NaN(Not a Number)
We now have to extract the middle ‘a’ from the result:
1. +[] [+[]] +[] = Nan in string 2.++[[]] [+[]] = 1 (quirk by oxotonick)
3. (+[][+[]]+[])[++[[]][+[]]] = ‘a’
J A V A S C R I P T : A T T A C K & D E F E N S E
ALPHA NUMERIC JS
Lets Trying ‘l’
We can find l in “false”
Fact ‘’==0 will be true opp of this is false
([![]]+[]) == “false”
++[++[[]][+[]]][+[]] Use previous quirk to get 2
Combine them to create ‘l’
([![]]+[]) [++[++[[]][+[]]][+[]]] == l
J A V A S C R I P T : A T T A C K & D E F E N S E
ALPHA NUMERIC JS
DEMO
(+[] [+[]]+[])[++[[]][+[]]]+([![]]+[])
[++[++[[]][+[]]][+[]]]+([!![]]+[]
)[++[++[++[[]][+[]]][+[]]]
[+[]]]+([!![]]+[])[++[[]][+[]]]+([!![]]+[]) [+[]]
“alert”
{“Email”,”[email protected]”}