Category: Code

JSFoo Hacknight and Javascript Obfuscation Tool Development

Last Saturday HasGeek organized JsFoo Hacknight in collaboration with Null. The event was planned specifically on Javascript security with 3 trainers presenting and conducting workshop on 3 relevant topics. The presentation started at around 3:30pm with Lavakumar talking about DOM XSS and continued with Riyaz presenting on AJAX CORS Security and concluded with Prasanna introducing the participants to Javascript obfuscation techniques.

The next phase of the event was the workshop part. Three parallel workshops were planned with three sessions by each trainer so that everybody can attend all the workshops.

I chose to attend Prasanna’s session on Javascript obfuscation as my first workshop for the night. This is where various ideas related to Javascript obfuscation and de-obfuscation struck.

JsObFoo: The Javascript Obfuscation Tool

The idea for developing this tool came during Prasanna’s workshop on the same topic. Initially I was planning to perform analysis on Javascript AST in order to de-obfuscate already obfuscated malware such as exploit packs. However it quickly turned out that static analysis is not the ideal approach for de-obfuscation. Various dynamic analysis tools and techniques already exists for this task, many of which gets the job done decently.

A modular approach is followed in designing and developing the prototype implementation so that it can be extended and enhanced easily. The current implementation uses RKelly library for parsing Javascript into AST (Abstract Syntax Tree). Modules are written for walking the AST and transforming parts of the source code as required.

Usage

bash-3.2$ ruby jsobfoo.rb 
Usage: jsobfoo.rb [options]
    -i, --input [FILE]               Javascript source file to obfuscate
    -o, --output [FILE]              File to write obfuscated Javascript source
    -z, --compress                   Compress generated Javascript source
    -v, --verbose                    Show verbose messages
    -C, --console                    Start IRB console

 

 Example Obfuscated Javascript Generated by JsObFoo:


var \u00610\u004d\u0049\u0074\u0050\u004f\u0072\u0074\u0058 = 0;
var \u0052N\u0056\u0049\u0076\u0032\u006fj\u004a\u0074 = "\u0022\x41\x42\x43\u0044\u0022";
function xQWyTdECDj(){
var \u004e\u0059\u0034F\u0047\u0054\u0068\u0036\u004a\u004e = 100;
var \u0070y\u0067\u0078\u0039ebF\u004d\u006e = \u004e\u0059\u0034F\u0047\u0054\u0068\u0036\u004a\u004e + 200;
return \u0070y\u0067\u0078\u0039ebF\u004d\u006e;
}
function InFmTrlicx(){
var \u0064\u0069y\u0044W\u0039\u0076Z\u004e\u0035 = 200;
var \u004b\u0047\u0035\u0076\u0038Y\u0047q\u0048P = \u0064\u0069y\u0044W\u0039\u0076Z\u004e\u0035 + 500;
return \u004b\u0047\u0035\u0076\u0038Y\u0047q\u0048P;
}
for(\u00610\u004d\u0049\u0074\u0050\u004f\u0072\u0074\u0058 = 22; \u00610\u004d\u0049\u0074\u0050\u004f\u0072\u0074\u0058 < 44; \u00610\u004d\u0049\u0074\u0050\u004f\u0072\u0074\u0058 += 4) {

}
\u00610\u004d\u0049\u0074\u0050\u004f\u0072\u0074\u0058 += 2;
\u0065\u0076\u0061\u006c("\x61\x6c\x65\x72\x74")(\u00610\u004d\u0049\u0074\u0050\u004f\u0072\u0074\u0058);
\u0065\u0076al("\x61\x6c\x65\x72\x74")(xQWyTdECDj());
\u0065\u0076\u0061\u006c("\x61\x6c\x65\x72\x74")(InFmTrlicx());

 

Roadmap

  • Implement/Use the esoteric JSFuck for string obfuscation 😛
  • Full script encoder (Encode with XOR or some other algorithm and eval at runtime with an obfuscated loader)
  • Encoder with environment derived key (e.g key derived from user-agent?)
  • Transparent browser detection (e.g –no-chrome: Do not run JS on Chrome)
  • Contextual Transformation (e.g Fake Calls)

Source

Github

null Code Samrat | Core Committer for null BitBucket Repository

null Code Samrat

null Code Samrat | The First Among the Equals

Today we are announcing a brand new position for null volunteers. We have our very own null Code Samrat. Samrat in Hindi means emperor. So the job of the null Code Samrat is to ensure that all our projects (including this website), all our code created by Humla Champions, speakers and more. Needless to say this is a very important position and only the most responsible, dependable and diligent volunteers amongst all of us will get it.

Meet Himanshu Kumar Das

Himanshu Kumar Das
Please meet Himanshu. He has been associated with null since the last 3 years and has actively participated in all the events and projects organized by null community. His interests lie in the area of web application security and mobile application security. He is also passionate about playing CTFs and has participated in several international CTF contests representing team – SegFault. He won nullcon Jailbreak 2012 and was part of the team who designed nullcon HackIM 2013 CTF. In his free time he participates in various bug bounty programs and has been acknowledged by several notable programs. He enjoys to code/learn in python. He believes that the web browser war has begun and hence his learning wishlist includes browser security and exploit development.

Important Details

You can all reach him at codesamrat AT null DOT co DOT in.

Currently we are going to allow null members with null.co.in email addresses access to the different repositories. Once we have stabilised everything than maybe we will open it up for all.

Bit Bucket Repository

Our code repositories are at https://bitbucket.org/null0x00.

Atlassian have been kind enough to give us a free unlimited account for this