Materials for OWASP presentation on malicious JavaScript
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
jekyll2.html - added proper attack testcase to jekyll2.html Jun 14, 2010

Author: Krzysztof Kotowicz
License: MIT

In this repository there are various materials for OWASP presentation on malicious JS

The slides are here:

The files present attacks on jsunpack and Dean Edwards Unpacker

jsunpack attacks

Sandbox detection

  • copy files from the main directory to your document root
  • Modify js.js with your webserver path
  • add some sandbox detection tests (real_browser = ...) from the presentation to js.js
  • Use jsunpack-n -a -u <URL for index.php> to trigger the attack and see that it avoids detection

Dr Jekyll attack

  • check jekyll1.html and jekyll2.html files The trick here is that jsunpack executes all <script> tags instead of only JavaScript and we can avoid detection by running some code only while in jsunpack sandbox.

HTML hack

  • edit js.js file and add "//<>" at the beginning - this will skip parsing the file by jsunpack completely. The thing is - jsunpack parses all scripts as html first and this triggers some weird error in the parser, modifying the resulting JavaScript.

Dean Edward's Unpacker

Function.toString attack

  • whitespace.php is a demo file that shows how modyfing Function.toString() works in real code
  • copy of unpacker website is in unpacker.html file
  • whitespace.js is an obfuscated Function.toString() replacer
  • whitespace.packed.js is the same, but packed
  • evil.packed.js is the script we want to hide from unpacker by attaching whitespace.packed.js near the end of the file
  • paste combined.js contents (without the first line) into unpacker to see the attack in action.