Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
JAVASCRIPT INTRODUCTION
• Cement of the internet (personal thought)
• De-facto language for web
• Birth @ Netscape
• Born ...
AGENDA
• DOM XSS
• CORS
• JSON Hijacking
• POST Message
• JavaScript Obfuscation
(+[] [+[]]+[])[++[[]][+[]]]+([![]]+[]) [+...
DOM XSS
• Similarity with stored and Reflected XSS is it also results due to DOM
Modification
• The difference is in how i...
CORS – CROSS ORIGIN RESOURCE SHARING
As per the HTTP standards one domain cannot communicate with other.
But in some
cases...
JSON HIJACKING (JSONP)
• Cross Domain JSON sniffing.
• Jsonp (JSON Padding) was created to communicate cross domain.
• The...
POST MESSAGE
“ inner = document.getElementById("inner").contentWindow;
inner.postMessage(document.getElementById("val").va...
JAVASCRIPT OBFUSCATION
Art of Hiding data in plain text
Why obfuscation
• Bypass WAF’s, filters
• Decrypt Exploit Packs
• ...
Creatinga JavaScriptSnippetWithoutanyAlphanumericcharacters
(+[][+[]]+[])[++[[]][+[]]] = “a”
Detailedsteps:
1. +[]=0
2. [+...
4. +[][+[]] =We useinfixoperator+ toperform a mathematical
operationonresultofpreviousoperationwhichresultsa error NaN
(No...
Lets Trying ‘l’
We can find l in “false”
Fact ‘’==0 will be true opp of this is false
([![]]+[]) == “false”
++[++[[]][+[]]...
DEMO
(+[] [+[]]+[])[++[[]][+[]]]+([![]]+[])
[++[++[[]][+[]]][+[]]]+([!![]]+[]
)[++[++[++[[]][+[]]][+[]]]
[+[]]]+([!![]]+[]...
{“Email”,”shifu@thoughtworks.com”}
Testing Javascript - Prasanna K, ThoughtWorks
Testing Javascript - Prasanna K, ThoughtWorks
Testing Javascript - Prasanna K, ThoughtWorks
Testing Javascript - Prasanna K, ThoughtWorks
You’ve finished this document.
Download and read it offline.
Upcoming SlideShare
Las damas, los niños y el contenido primero - El diseño de experiencia de usuario empieza por contar una historia.
Next
Upcoming SlideShare
Las damas, los niños y el contenido primero - El diseño de experiencia de usuario empieza por contar una historia.
Next
Download to read offline and view in fullscreen.

Share

Testing Javascript - Prasanna K, ThoughtWorks

Download to read offline

Related Books

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Testing Javascript - Prasanna K, ThoughtWorks

  1. 1. JAVASCRIPT INTRODUCTION • Cement of the internet (personal thought) • De-facto language for web • Birth @ Netscape • Born as “Mocha” • Object oriented http://en.wikipedia.org/wiki/JavaScript
  2. 2. AGENDA • DOM XSS • CORS • JSON Hijacking • POST Message • JavaScript Obfuscation (+[] [+[]]+[])[++[[]][+[]]]+([![]]+[]) [++[++[[]][+[]]][+[]]]+([!![]]+[] )[++[++[++[[]][+[]]][+[]]] [+[]]]+([!![]]+[])[++[[]][+[]]]+([!![]]+[]) [+[]]  This is not child drawing it is code 
  3. 3. DOM XSS • Similarity with stored and Reflected XSS is it also results due to DOM Modification • The difference is in how it is triggered • Server might never see the payload Keywords : Source Filter Sink Source – Sink  Failure Source – Filter – Sink  Perfect https://www.owasp.org/index.php/DOM_Based_XSS https://www.owasp.org/index.php/DOM_based_XSS_Prevention _Cheat_Sheet
  4. 4. CORS – CROSS ORIGIN RESOURCE SHARING As per the HTTP standards one domain cannot communicate with other. But in some cases there might be a need for applications to talk to each other which is were CORS comes into play. CORS allows domains to speak to each other For CORS to work browser asks the server for permission by method of pre-flight, the server responds with actions it would support, the client then proceeds with the request Request Header: Origin: http://yourapplication.com Server Response: Access-Control-Allow-Origin: *
  5. 5. JSON HIJACKING (JSONP) • Cross Domain JSON sniffing. • Jsonp (JSON Padding) was created to communicate cross domain. • The JSON response is encapsulated in a function. • Malicious site could create a similar function call and get the contents of the JSON • The contact stealing attack of Jermiah grossman in gmail is a example of Json • Hijacking • Google uses while(1){XXXX} now in JSON which precedes the JSON.
  6. 6. POST MESSAGE “ inner = document.getElementById("inner").contentWindow; inner.postMessage(document.getElementById("val").value, "*"); ” postMessage allows cross domain communication. One of the major flaw is fact that the receiver needs to verify if communication was for him before using it. PostMessage expects a target to given but supports a wildcard. Which can be abused Input validation issues could lead to XSS https://developer.mozilla.org/en- US/docs/Web/API/Window.postMessage http://www.cs.utexas.edu/~shmat/shmat_ndss13postman.pdf
  7. 7. JAVASCRIPT OBFUSCATION Art of Hiding data in plain text Why obfuscation • Bypass WAF’s, filters • Decrypt Exploit Packs • Bypass filters (in-house and commercial) • hide implementation details • Social engineering payloads
  8. 8. Creatinga JavaScriptSnippetWithoutanyAlphanumericcharacters (+[][+[]]+[])[++[[]][+[]]] = “a” Detailedsteps: 1. +[]=0 2. [+[]]=0inside objectaccessor 3. [][+[]]=Createa blankArray withtrying to0whichcreateserror ‘undefined’ ALPHA NUMERICJS
  9. 9. 4. +[][+[]] =We useinfixoperator+ toperform a mathematical operationonresultofpreviousoperationwhichresultsa error NaN (Not a Number) We nowhaveto extractthemiddle‘a’ fromtheresult: 1. +[][+[]]+[]=Nan instring 2.++[[]][+[]]=1(quirkbyoxotonick) 3.(+[][+[]]+[])[++[[]][+[]]]=‘a’ J A V A S C R I P T : A T T A C K & D E F E N S E ALPHA NUMERICJS
  10. 10. Lets Trying ‘l’ We can find l in “false” Fact ‘’==0 will be true opp of this is false ([![]]+[]) == “false” ++[++[[]][+[]]][+[]] Use previous quirk to get 2 Combine them to create ‘l’ ([![]]+[]) [++[++[[]][+[]]][+[]]] == l J A V A S C R I P T : A T T A C K & D E F E N S E ALPHA NUMERICJS
  11. 11. DEMO (+[] [+[]]+[])[++[[]][+[]]]+([![]]+[]) [++[++[[]][+[]]][+[]]]+([!![]]+[] )[++[++[++[[]][+[]]][+[]]] [+[]]]+([!![]]+[])[++[[]][+[]]]+([!![]]+[]) [+[]] “alert”
  12. 12. {“Email”,”shifu@thoughtworks.com”}

Views

Total views

2,125

On Slideshare

0

From embeds

0

Number of embeds

2

Actions

Downloads

9

Shares

0

Comments

0

Likes

0

×