Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
branch: master
Fetching contributors…

Octocat-spinner-32-eaf2f5

Cannot retrieve contributors at this time

file 44 lines (36 sloc) 1.795 kb

Author: Krzysztof Kotowicz
License: MIT

In this repository there are various materials for OWASP presentation on malicious JS

The slides are here: http://www.slideshare.net/kkotowicz/malicious-javascript/

The files present attacks on jsunpack and Dean Edwards Unpacker

jsunpack attacks

Sandbox detection

  • copy files from the main directory to your document root
  • Modify js.js with your webserver path
  • add some sandbox detection tests (real_browser = ...) from the presentation to js.js
  • Use jsunpack-n -a -u <URL for index.php> to trigger the attack and see that it avoids detection

Dr Jekyll attack

  • check jekyll1.html and jekyll2.html files The trick here is that jsunpack executes all <script> tags instead of only JavaScript and we can avoid detection by running some code only while in jsunpack sandbox.

HTML hack

  • edit js.js file and add "//<>" at the beginning - this will skip parsing the file by jsunpack completely. The thing is - jsunpack parses all scripts as html first and this triggers some weird error in the parser, modifying the resulting JavaScript.

Dean Edward's Unpacker

Function.toString attack

  • whitespace.php is a demo file that shows how modyfing Function.toString() works in real code
  • copy of unpacker website is in unpacker.html file
  • whitespace.js is an obfuscated Function.toString() replacer
  • whitespace.packed.js is the same, but packed
  • evil.packed.js is the script we want to hide from unpacker by attaching whitespace.packed.js near the end of the file
  • paste combined.js contents (without the first line) into unpacker to see the attack in action.
Something went wrong with that request. Please try again.