SlideShare ist ein Scribd-Unternehmen logo
1 von 16
Downloaden Sie, um offline zu lesen
Javascript Testing
JAVASCRIPT INTRODUCTION
• Cement of the internet (personal thought)
• De-facto language for web
• Birth @ Netscape
• Born as “Mocha”
• Object oriented
http://en.wikipedia.org/wiki/JavaScript
AGENDA
• DOM XSS
• CORS
• JSON Hijacking
• POST Message
• JavaScript Obfuscation
(+[] [+[]]+[])[++[[]][+[]]]+([![]]+[]) [++[++[[]][+[]]][+[]]]+([!![]]+[] )[++[++[++[[]][+[]]][+[]]]
[+[]]]+([!![]]+[])[++[[]][+[]]]+([!![]]+[]) [+[]]  This is not child drawing it is code 
DOM XSS
• Similarity with stored and Reflected XSS is it also results due to DOM
Modification
• The difference is in how it is triggered
• Server might never see the payload
Keywords : Source Filter Sink
Source – Sink  Failure
Source – Filter – Sink  Perfect
https://www.owasp.org/index.php/DOM_Based_XSS
https://www.owasp.org/index.php/DOM_based_XSS_Prevention
_Cheat_Sheet
Javascript Testing
CORS – CROSS ORIGIN RESOURCE SHARING
As per the HTTP standards one domain cannot communicate with other.
But in some
cases there might be a need for applications to talk to each other which is
were CORS
comes into play. CORS allows domains to speak to each other
For CORS to work browser asks the server for permission by method of
pre-flight, the
server responds with actions it would support, the client then proceeds
with the
request
Request Header: Origin: http://yourapplication.com
Server Response: Access-Control-Allow-Origin: *
JSON HIJACKING (JSONP)
• Cross Domain JSON sniffing.
• Jsonp (JSON Padding) was created to communicate cross domain.
• The JSON response is encapsulated in a function.
• Malicious site could create a similar function call and get the contents
of the JSON
• The contact stealing attack of Jermiah grossman in gmail is a example
of Json
• Hijacking
• Google uses while(1){XXXX} now in JSON which precedes the JSON.
Javascript Testing
POST MESSAGE
“ inner = document.getElementById("inner").contentWindow;
inner.postMessage(document.getElementById("val").value, "*"); ”
postMessage allows cross domain communication.
One of the major flaw is fact that the receiver needs to verify if
communication was
for him before using it.
PostMessage expects a target to given but supports a wildcard. Which can
be abused
Input validation issues could lead to XSS
https://developer.mozilla.org/en-
US/docs/Web/API/Window.postMessage
http://www.cs.utexas.edu/~shmat/shmat_ndss13postman.pdf
Javascript Testing
JAVASCRIPT OBFUSCATION
Art of Hiding data in plain text
Why obfuscation
• Bypass WAF’s, filters
• Decrypt Exploit Packs
• Bypass filters (in-house and commercial)
• hide implementation details
• Social engineering payloads
Creatinga JavaScriptSnippetWithoutanyAlphanumericcharacters
(+[][+[]]+[])[++[[]][+[]]] = “a”
Detailedsteps:
1. +[]=0
2. [+[]]=0inside objectaccessor
3. [][+[]]=Createa blankArray withtryingto0whichcreateserror
‘undefined’
ALPHA NUMERICJS
4. +[][+[]] =We useinfixoperator+ toperform a mathematical
operationon resultof previousoperationwhichresultsa errorNaN
(Not a Number)
Wenowhaveto extractthemiddle‘a’ from theresult:
1. +[][+[]]+[]=Nan instring
2.++[[]][+[]]= 1(quirk byoxotonick)
3.(+[][+[]]+[])[++[[]][+[]]]=‘a’
J A V A S C R I P T : A T T A C K & D E F E N S E
ALPHA NUMERICJS
Lets Trying ‘l’
We can find l in “false”
Fact ‘’==0 will be true opp of this is false
([![]]+[]) == “false”
++[++[[]][+[]]][+[]] Use previous quirk to
get 2
Combine them to create ‘l’
([![]]+[]) [++[++[[]][+[]]][+[]]] == l
J A V A S C R I P T : A T T A C K & D E F E N S E
ALPHA NUMERICJS
DEMO
(+[] [+[]]+[])[++[[]][+[]]]+([![]]+[])
[++[++[[]][+[]]][+[]]]+([!![]]+[]
)[++[++[++[[]][+[]]][+[]]]
[+[]]]+([!![]]+[])[++[[]][+[]]]+([!![]]+[]) [+[]]
“alert”
{“Email”,”shifu@thoughtworks.com”}

Weitere ähnliche Inhalte

Andere mochten auch

Selenium Conference 2014 -- Bangalore
Selenium Conference 2014 -- BangaloreSelenium Conference 2014 -- Bangalore
Selenium Conference 2014 -- BangalorePrasanna Kanagasabai
 
PHPSpec & Behat: Two Testing Tools That Write Code For You (#phptek edition)
PHPSpec & Behat: Two Testing Tools That Write Code For You (#phptek edition)PHPSpec & Behat: Two Testing Tools That Write Code For You (#phptek edition)
PHPSpec & Behat: Two Testing Tools That Write Code For You (#phptek edition)Joshua Warren
 
How to Automate API Testing
How to Automate API TestingHow to Automate API Testing
How to Automate API TestingBruno Pedro
 
FARMACOLOGÍA - MEDICAMENTOS BÁSICOS EN ODONTOLOGÍA
FARMACOLOGÍA - MEDICAMENTOS BÁSICOS EN ODONTOLOGÍAFARMACOLOGÍA - MEDICAMENTOS BÁSICOS EN ODONTOLOGÍA
FARMACOLOGÍA - MEDICAMENTOS BÁSICOS EN ODONTOLOGÍAdedy jhan carlos
 

Andere mochten auch (7)

Selenium Conference 2014 -- Bangalore
Selenium Conference 2014 -- BangaloreSelenium Conference 2014 -- Bangalore
Selenium Conference 2014 -- Bangalore
 
IronSAP
IronSAP IronSAP
IronSAP
 
Automated tests to a REST API
Automated tests to a REST APIAutomated tests to a REST API
Automated tests to a REST API
 
PHPSpec & Behat: Two Testing Tools That Write Code For You (#phptek edition)
PHPSpec & Behat: Two Testing Tools That Write Code For You (#phptek edition)PHPSpec & Behat: Two Testing Tools That Write Code For You (#phptek edition)
PHPSpec & Behat: Two Testing Tools That Write Code For You (#phptek edition)
 
BDD for APIs
BDD for APIsBDD for APIs
BDD for APIs
 
How to Automate API Testing
How to Automate API TestingHow to Automate API Testing
How to Automate API Testing
 
FARMACOLOGÍA - MEDICAMENTOS BÁSICOS EN ODONTOLOGÍA
FARMACOLOGÍA - MEDICAMENTOS BÁSICOS EN ODONTOLOGÍAFARMACOLOGÍA - MEDICAMENTOS BÁSICOS EN ODONTOLOGÍA
FARMACOLOGÍA - MEDICAMENTOS BÁSICOS EN ODONTOLOGÍA
 

Ähnlich wie Javascript Testing

Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterMichael Coates
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
Philip Stehlik at TechTalks.ph - Intro to Groovy and Grails
Philip Stehlik at TechTalks.ph - Intro to Groovy and GrailsPhilip Stehlik at TechTalks.ph - Intro to Groovy and Grails
Philip Stehlik at TechTalks.ph - Intro to Groovy and GrailsPhilip Stehlik
 
How dojo works
How dojo worksHow dojo works
How dojo worksAmit Tyagi
 
Advancing JavaScript with Libraries (Yahoo Tech Talk)
Advancing JavaScript with Libraries (Yahoo Tech Talk)Advancing JavaScript with Libraries (Yahoo Tech Talk)
Advancing JavaScript with Libraries (Yahoo Tech Talk)jeresig
 
Android lessons you won't learn in school
Android lessons you won't learn in schoolAndroid lessons you won't learn in school
Android lessons you won't learn in schoolMichael Galpin
 
웹 개발을 위해 꼭 알아야하는 보안 공격
웹 개발을 위해 꼭 알아야하는 보안 공격웹 개발을 위해 꼭 알아야하는 보안 공격
웹 개발을 위해 꼭 알아야하는 보안 공격선협 이
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontendOWASP EEE
 
XSS (Cross Site Scripting)
XSS (Cross Site Scripting)XSS (Cross Site Scripting)
XSS (Cross Site Scripting)Shubham Gupta
 
夜宴36期《技术前哨站》
夜宴36期《技术前哨站》夜宴36期《技术前哨站》
夜宴36期《技术前哨站》Koubei Banquet
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platformskosborn
 
パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法
パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法
パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法inet-lab
 

Ähnlich wie Javascript Testing (20)

On Web Browsers
On Web BrowsersOn Web Browsers
On Web Browsers
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
 
Philip Stehlik at TechTalks.ph - Intro to Groovy and Grails
Philip Stehlik at TechTalks.ph - Intro to Groovy and GrailsPhilip Stehlik at TechTalks.ph - Intro to Groovy and Grails
Philip Stehlik at TechTalks.ph - Intro to Groovy and Grails
 
How dojo works
How dojo worksHow dojo works
How dojo works
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
 
Advancing JavaScript with Libraries (Yahoo Tech Talk)
Advancing JavaScript with Libraries (Yahoo Tech Talk)Advancing JavaScript with Libraries (Yahoo Tech Talk)
Advancing JavaScript with Libraries (Yahoo Tech Talk)
 
Jquery fundamentals
Jquery fundamentalsJquery fundamentals
Jquery fundamentals
 
Android lessons you won't learn in school
Android lessons you won't learn in schoolAndroid lessons you won't learn in school
Android lessons you won't learn in school
 
웹 개발을 위해 꼭 알아야하는 보안 공격
웹 개발을 위해 꼭 알아야하는 보안 공격웹 개발을 위해 꼭 알아야하는 보안 공격
웹 개발을 위해 꼭 알아야하는 보안 공격
 
Gwtcreatekeynote
GwtcreatekeynoteGwtcreatekeynote
Gwtcreatekeynote
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontend
 
XSS (Cross Site Scripting)
XSS (Cross Site Scripting)XSS (Cross Site Scripting)
XSS (Cross Site Scripting)
 
夜宴36期《技术前哨站》
夜宴36期《技术前哨站》夜宴36期《技术前哨站》
夜宴36期《技术前哨站》
 
Banquet 36
Banquet 36Banquet 36
Banquet 36
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
Html5 hacking
Html5 hackingHtml5 hacking
Html5 hacking
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platforms
 
パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法
パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法
パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法
 

Kürzlich hochgeladen

activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 

Kürzlich hochgeladen (20)

activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 

Javascript Testing

  • 2. JAVASCRIPT INTRODUCTION • Cement of the internet (personal thought) • De-facto language for web • Birth @ Netscape • Born as “Mocha” • Object oriented http://en.wikipedia.org/wiki/JavaScript
  • 3. AGENDA • DOM XSS • CORS • JSON Hijacking • POST Message • JavaScript Obfuscation (+[] [+[]]+[])[++[[]][+[]]]+([![]]+[]) [++[++[[]][+[]]][+[]]]+([!![]]+[] )[++[++[++[[]][+[]]][+[]]] [+[]]]+([!![]]+[])[++[[]][+[]]]+([!![]]+[]) [+[]]  This is not child drawing it is code 
  • 4. DOM XSS • Similarity with stored and Reflected XSS is it also results due to DOM Modification • The difference is in how it is triggered • Server might never see the payload Keywords : Source Filter Sink Source – Sink  Failure Source – Filter – Sink  Perfect https://www.owasp.org/index.php/DOM_Based_XSS https://www.owasp.org/index.php/DOM_based_XSS_Prevention _Cheat_Sheet
  • 6. CORS – CROSS ORIGIN RESOURCE SHARING As per the HTTP standards one domain cannot communicate with other. But in some cases there might be a need for applications to talk to each other which is were CORS comes into play. CORS allows domains to speak to each other For CORS to work browser asks the server for permission by method of pre-flight, the server responds with actions it would support, the client then proceeds with the request Request Header: Origin: http://yourapplication.com Server Response: Access-Control-Allow-Origin: *
  • 7. JSON HIJACKING (JSONP) • Cross Domain JSON sniffing. • Jsonp (JSON Padding) was created to communicate cross domain. • The JSON response is encapsulated in a function. • Malicious site could create a similar function call and get the contents of the JSON • The contact stealing attack of Jermiah grossman in gmail is a example of Json • Hijacking • Google uses while(1){XXXX} now in JSON which precedes the JSON.
  • 9. POST MESSAGE “ inner = document.getElementById("inner").contentWindow; inner.postMessage(document.getElementById("val").value, "*"); ” postMessage allows cross domain communication. One of the major flaw is fact that the receiver needs to verify if communication was for him before using it. PostMessage expects a target to given but supports a wildcard. Which can be abused Input validation issues could lead to XSS https://developer.mozilla.org/en- US/docs/Web/API/Window.postMessage http://www.cs.utexas.edu/~shmat/shmat_ndss13postman.pdf
  • 11. JAVASCRIPT OBFUSCATION Art of Hiding data in plain text Why obfuscation • Bypass WAF’s, filters • Decrypt Exploit Packs • Bypass filters (in-house and commercial) • hide implementation details • Social engineering payloads
  • 12. Creatinga JavaScriptSnippetWithoutanyAlphanumericcharacters (+[][+[]]+[])[++[[]][+[]]] = “a” Detailedsteps: 1. +[]=0 2. [+[]]=0inside objectaccessor 3. [][+[]]=Createa blankArray withtryingto0whichcreateserror ‘undefined’ ALPHA NUMERICJS
  • 13. 4. +[][+[]] =We useinfixoperator+ toperform a mathematical operationon resultof previousoperationwhichresultsa errorNaN (Not a Number) Wenowhaveto extractthemiddle‘a’ from theresult: 1. +[][+[]]+[]=Nan instring 2.++[[]][+[]]= 1(quirk byoxotonick) 3.(+[][+[]]+[])[++[[]][+[]]]=‘a’ J A V A S C R I P T : A T T A C K & D E F E N S E ALPHA NUMERICJS
  • 14. Lets Trying ‘l’ We can find l in “false” Fact ‘’==0 will be true opp of this is false ([![]]+[]) == “false” ++[++[[]][+[]]][+[]] Use previous quirk to get 2 Combine them to create ‘l’ ([![]]+[]) [++[++[[]][+[]]][+[]]] == l J A V A S C R I P T : A T T A C K & D E F E N S E ALPHA NUMERICJS