Materials for OWASP presentation on malicious JavaScript
JavaScript PHP Shell
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
demo2
makemelaugh
real
tostring
Dr_JekyllMr_Hyde.jpg
README.md
demo.bash
dr-evil2.jpg
evil.html
index.php
jekyll1.html
jekyll2.html
js.js

README.md

Author: Krzysztof Kotowicz
License: MIT

In this repository there are various materials for OWASP presentation on malicious JS

The slides are here: http://www.slideshare.net/kkotowicz/malicious-javascript/

The files present attacks on jsunpack and Dean Edwards Unpacker

jsunpack attacks

Sandbox detection

  • copy files from the main directory to your document root
  • Modify js.js with your webserver path
  • add some sandbox detection tests (real_browser = ...) from the presentation to js.js
  • Use jsunpack-n -a -u <URL for index.php> to trigger the attack and see that it avoids detection

Dr Jekyll attack

  • check jekyll1.html and jekyll2.html files The trick here is that jsunpack executes all <script> tags instead of only JavaScript and we can avoid detection by running some code only while in jsunpack sandbox.

HTML hack

  • edit js.js file and add "//<>" at the beginning - this will skip parsing the file by jsunpack completely. The thing is - jsunpack parses all scripts as html first and this triggers some weird error in the parser, modifying the resulting JavaScript.

Dean Edward's Unpacker

Function.toString attack

  • whitespace.php is a demo file that shows how modyfing Function.toString() works in real code
  • copy of unpacker website is in unpacker.html file
  • whitespace.js is an obfuscated Function.toString() replacer
  • whitespace.packed.js is the same, but packed
  • evil.packed.js is the script we want to hide from unpacker by attaching whitespace.packed.js near the end of the file
  • paste combined.js contents (without the first line) into unpacker to see the attack in action.