Skip to content

Firefox find function

I found this quite interesting, calling the find function in Firefox without parameters displays a dialog box. Calling it multiple times displays loads of find windows :) 

for(i=0;i<100;i++) {
 find();
}
Posted 08 May 2008 Gareth Heyes § Security § javascript Comments (3)

Javascript getters hacking

I’m a big fan of strange looking Javascript and using the syntax in ways it wasn’t intended, so I can understand the internals of what’s going on. Tonight I was having trouble sleeping and I decided to try and bypass the PHPIDS, I found that Firefox lets you use getters with unassigned variables and returns the results.

the=javascript getter=eval
s = me getter=the('alert(1)')
Posted 08 May 2008 Gareth Heyes § Security § javascript Comments (3)

Javascript cloning objects

I haven’t posted for a while as I’ve been busy but I thought I’d post about object cloning because it’s a useful tip and can be used in many situations like browser hacking or general web development. I posted this to the sla.ckers forum a while ago but in case you missed it here goes….

When cloning a object in Javascript many of the examples I found used for(i in..) to traverse the properties and copy each of them. There is a nicer way to do this using the uneval function like this:-

obj={a:1,a:2}
function clone(o) {
 return eval(uneval(o));
}
obj2 = clone(obj);
obj2.a=0;
alert(obj.a);
alert(obj2.a);

Giorgio Maone pointed out that it would be nice to prototype the code to make it easier to implement:-

Object.prototype.clone = function() {
  return eval(uneval(this));
}
alert("test".clone());
alert((3).clone());
alert(clone.clone());
Posted 10 April 2008 Gareth Heyes § Security § javascript Comments (6)

Codetcha update

I’ve updated the source and it now includes friendly variable/function creation so they are easier to read than pure random data. Thanks to Agente Naranja for the suggestion! I’ve fixed plenty of bugs and included many customisation options, each site using should change the configuration of the CAPTCHA to make it easy or harder to solve depending on the technical skill of the visitor. Enjoy!

Codetcha demo

Codetcha source

Posted 30 March 2008 Gareth Heyes § Security § captcha § javascript § php Comments (2)

Codetcha

I’ve sat on the concept for a long time and it has had many names but I’ve got a bit of free time now so I decided to create a proof of concept. It isn’t perfect yet and there may be false positives due to a few bugs but if you read my blog you know I like to release code early :)

So what is it I hear you ask? Well Codetcha is CAPTCHA but not in the traditional sense, it purposely creates code bugs and uses the developers debugging skills to determine if he/she is human or not. In the first version I’ve used Javascript as the error prone code and a PHP mirror behind the scenes to get the relevant value. However any programming language could be used, I decided on Javascript because you can use the native debugging in the browser to help you pass the test.

It’s worth noting that this sort of system couldn’t be used on a non-technical forum or blog because it assumes knowledge of a programming language but it could be used on technical blogs and forums.

Update…

Fixed more bugs, reduced the settings slightly. I’ll release the source code soon once I’ve refined it a bit more.

Update again…

I’ve fixed many bugs, reduced the code by 50% and improved the replace algorithm.

Codetcha demo

Posted 17 March 2008 Gareth Heyes § Security § captcha § php Comments (14)

Hidden javascript properties

Javascript contains hidden properties in many objects, I first discovered this when DoctorDan from the slackers forum demonstrated a technique to get the text from a regular expression object without specifying the source property. Later I found a post by John Resig about weird IE behavior again with -1 properties.

So I decided to experiment and write a little script to investigate further. I discovered that it’s possible to access strings of global object names. For example:-

alert(Boolean[-6]);
alert(typeof Boolean[-6]);

It seems that Firefox at least stores names of objects in “-6″, the example above returns the value “Boolean” as a string. Here’s a few examples I posted slackers which use Objects to create strings.

This is the simple script I wrote to find the properties, feel free to experiment and find any other “hidden” gems.

function inspectObject(obj) {
 var prop;
 var props = [];
 for(var i=-1000;i<1000;i++) {
  if(i > 0) {
     prop = obj[String.fromCharCode(i)];
     if(prop != null) {
      props.push(String.fromCharCode(i) + '=' + prop);
     }  
  } else {
     prop = obj[i];
     if(prop != null) {
      props.push(i + '=' + prop);
    }
  }
 }
 return props;
}
 
x=function x(){};
inspectObject(x)
Posted 06 March 2008 Gareth Heyes § Security § javascript Comments (6)

Polymorphic javascript

Finding a pattern in malicious javascript is difficult, it’s possible to selectively change the source code yet still execute the same payload. There are many ways to morph Javascript and I shall go through a few of the possibilities and provide examples through Hackvertor (which now supports code morphing).

In order for a pattern to be established the detection mechanism needs to understand hexadecimal, unicode, octal escapes along with general javascript syntax. It’s difficult to maintain polymorphic code without an increase in size, this could be an indicator that malicious code exists because the code only has so many characters it can selectively modify without encoding the whole payload again. Of course an encoding/compression algorithm could maintain the same size but I think this is easier to detect.

A common factor with malicious javascript is the use of eval or external connections, if a site is using eval in more than one instance and on multiple pages it could contain malicious code. Even the use of a single eval is not that common on the average web site and whitelisting the existing known code could be a good way of detecting malicious content.

I believe the best form of defense is attack and therefore I’ve created code morphing tags in Hackvertor, the tags are not comprehensive but provide a good reference on how javascript code can be selectively modified. There are two classes of morph currently in Hackvertor, random morph and full morph. Random mode will modify a small section of the code without changing the result and full mode will encode the entire payload, this is similar to the code morphing script I wrote previously but contains more features.

Random morphing

Ternary operators can be used to partially morph a string:-
Random ternary morph

Unicode morphing can be used in function calls and javascript strings, the following example shows how the alert function can be changed. Click convert a few times to see the different results:-
Unicode morph

Character codes can partially modify a string like this:-
Charcodes morph

Finally I’ll show the variable morph, there are more morphs available but I’ll leave you to experiment with them. The variable morph simply selects an individual character and creates a sepate string:-

Variable morph

Full morphing

Here I show how the urlencode functions can be used to morph the entire payload:-
Escape morph

Ternary morphs can also be applied to a full payload:-
Ternary morph

Advanced examples

The example below shows how to create a javascript link with multiple random morphs which uses hex entity encoding with a unicode and character code random morph.
Javascript link url

Here’s how to take a string and randomly encode parts of it with urlencoding and character codes:-
Random parts morph

This is my last one now, there are so many combinations I could show you. Click the execute output button to view :-
Reversing keywords

Posted 27 February 2008 Gareth Heyes § Security § hackvertor § javascript Comments (3)

Firefox javascript sandboxing

As a technical challenge and maybe in future to allow Hackvertor to execute javascript code from the user. I decided to create a javascript sandbox.

It works by first running the code through a new Function constructor and tosource, the reason for this is that Firefox actually converts the code supplied e.g. ‘te\st’ becomes ‘test’ etc. Then a private function is created to handle the supplied code, it loops through global objects and assigns each of them as a local variable to remove dangerous functions. Underscores are removed from the code because I found it impossible to secure __parent__ as it cannot be redefined. The global Function is overwritten and the constructor to prevent access to new Function() calls.

Giorgio Maone found some excellent holes in my code which hopefully I’ve fixed now. Giorgio makes the excellent noscript simply the best Firefox extension on the net! Thanks Giorgio :)

Update…

Waldo on the slackers forum found some excellent vectors to slip through the sandbox. I’ve updated the script to take into account that there are millions of ways to return to the window object in Javascript. This time I’ve changed the sandbox to nullify the actual window object properties and restore them when the sandbox is run. Big thanks to Waldo for the awesome stuff, more of his sandbox breaking (for Facebook) can be viewed here.

So join in the fun and see if you can execute code:-
Firefox sandbox

Submit any alert executions here

Posted 22 February 2008 Gareth Heyes § Security § javascript § xss Comments (0)

Hackvertlets

I thought about adding basic bookmarklets to Hackvertor but then I had an idea..wouldn’t it be cool if you could create your own :) This simple yet powerful feature will allow you to perform a Hackvertor conversion on any text from any web page. This means you can convert a selection of text to hex entities, urlencoded string, base64 or all of them at once if you like!

How to create

1. Click the Hackvertlet button (Make sure there’s no text in the input box)
2. Choose the tags you would like to perform the conversions.
3. Click the Hackvertlet button again.
4. Give the Hackvertlet a descriptive name like “urlencode”
5. Drag the link to your bookmarks.

So what are you waiting for go make your life easier with Hackvertlets:-
Hackvertor

Please note I’ve designed this for Firefox only.

Posted 15 February 2008 Gareth Heyes § Security § hackvertor Comments (0)

Hackvertor fixes

Simplicity is always the best policy

I’ve finally and completely (I hope) fixed nested tags. This was an absolute nightmare to solve because the engine kept matching the wrong sets of tags. For example if you placed the following tags in Hackvertor:-

<hex_ent><hex_ent>test</hex_ent></hex_ent>

Hackvertor wouldn’t know which one it should convert first, the way to actually solve the problem would be to match the first ending tag and look backwards in regular expressions to find the next starting tag but….Javascript doesn’t support lookbehind correctly. I tried numerous regular expressions to solve this problem and today I just thought to myself that there must be a easier way…I was right :) Simply appending a unique number to a tag makes each tag different and therefore solving the problem, the result :-
Multiple tags

IE fix

Internet Explorer now supports the base64 encoding functions and URL’s, I thought this was already the case but it turns out that the base64 code I added was missing a few things. I’ve fixed it now though so they should work fine in IE.

More vectors

I recently discovered that you can use zero spaced named entities in Javascript (when in a url), I thought it would be a good idea to add them into Hackvertor so here you go:-
Zero spaced entities

Posted 14 February 2008 Gareth Heyes § Security § hackvertor § javascript Comments (0)