Polymorphic javascript
Wednesday, 27 February 2008
Finding a pattern in malicious javascript is difficult, it’s possible to selectively change the source code yet still execute the same payload. There are many ways to morph Javascript and I shall go through a few of the possibilities and provide examples through Hackvertor (which now supports code morphing).
In order for a pattern to be established the detection mechanism needs to understand hexadecimal, unicode, octal escapes along with general javascript syntax. It’s difficult to maintain polymorphic code without an increase in size, this could be an indicator that malicious code exists because the code only has so many characters it can selectively modify without encoding the whole payload again. Of course an encoding/compression algorithm could maintain the same size but I think this is easier to detect.
A common factor with malicious javascript is the use of eval or external connections, if a site is using eval in more than one instance and on multiple pages it could contain malicious code. Even the use of a single eval is not that common on the average web site and whitelisting the existing known code could be a good way of detecting malicious content.
I believe the best form of defense is attack and therefore I’ve created code morphing tags in Hackvertor, the tags are not comprehensive but provide a good reference on how javascript code can be selectively modified. There are two classes of morph currently in Hackvertor, random morph and full morph. Random mode will modify a small section of the code without changing the result and full mode will encode the entire payload, this is similar to the code morphing script I wrote previously but contains more features.
Random morphing
Ternary operators can be used to partially morph a string:-
Random ternary morph
Unicode morphing can be used in function calls and javascript strings, the following example shows how the alert function can be changed. Click convert a few times to see the different results:-
Unicode morph
Character codes can partially modify a string like this:-
Charcodes morph
Finally I’ll show the variable morph, there are more morphs available but I’ll leave you to experiment with them. The variable morph simply selects an individual character and creates a sepate string:-
Full morphing
Here I show how the urlencode functions can be used to morph the entire payload:-
Escape morph
Ternary morphs can also be applied to a full payload:-
Ternary morph
Advanced examples
The example below shows how to create a javascript link with multiple random morphs which uses hex entity encoding with a unicode and character code random morph.
Javascript link url
Here’s how to take a string and randomly encode parts of it with urlencoding and character codes:-
Random parts morph
This is my last one now, there are so many combinations I could show you. Click the execute output button to view :-
Reversing keywords
No. 1 — February 27th, 2008 at 2:33 pm
Amazing tool… really.
did you think of using for some automated fault-injection using.. maybe selenium or watir?
No. 2 — February 27th, 2008 at 3:08 pm
@romain
Thanks!
I developed the tool for XSS pen testing but the codebase could quite easily be used for a variety of different things. It is open source as well so anyone wants to create a version for specific task than they are more than welcome to do so.
If you liked the morphing tags, check out the latest improvement ternary operator string splitting.
Visit this url and then click real time in the black bar to demo:-
Ternary morph
No. 3 — February 29th, 2008 at 8:33 am
excellent work Gareth, please keep up this vital work.