Frierenlabs

Search

SearchSearch

javascript for hackers

Apr 26, 20245 min read

gareth heyes

this was a book recommended by security x microcelebrity kei

  • try to discover and document techniques and exploits in the language
    • ex. abusing sort() method to call alert()
  • rapid environment to carry out tests
    • execute code and get instant results
    • evaluate js and return result as a bare minimum
      • browser console, local web server or web app such as JS Fiddle
  • set a goal
    • never ends and mutate into another goal
    • clear idea what you have to do and abuse js feat to achieve the goal
      • ex. execute js functions without parentheses and arguments
  • fuzzing
    • most important tools in js hacker toolbox
    • write code that enumerates characters, code, or data with goal of finding interesting behavior (edge cases)
    • ex. binary exploitation, fuzzer can find DoS or exploitable crash but when JS hacking, achieve your goal by getting answers to the questions
      • ex. understand what characters are allowed as whitespace
        • why not simply look at the specification? b.c. browsers do not follow the specs and b.c they make mistakes or they intentionally don’t ex. support backward compatibility
        • edge cases are important in this case b.c. the js parser or sandbox handles whitespace correctly to avoid bypassing sandbox
  • persistence and luck
    • persistance enables you to expand your knowledge and get lucky
    • if you find yourself staring at a blank screen without any ideas what to do, try a new goal or simplify your goal so you can keep moving. Don’t be afraid to try things that you think might not work and if you’re persistent your time won’t be wasted because you learn little things on the way to finding interesting stuff. Remember persistence doesn’t just mean sticking at the same thing all the time, you can come back to something months later and try different techniques
  • social media
    • twitter is useful for js hacking because you get instant feedback on your technique. as you gain followers, you’ll find people who enjoy the same thing and they’ll point out variations and things you’ve missed. not only are you learning but everyone who sees the conversation is learning too. imagine if everyone took this approach — people would learn rapidly and we’d find some interesting js behavior. when i tweet, it also sticks in my head and if i forget, i can search twitter or download my tweets to find the technique.
    • note twitter is not good for LONG TERM storage of data ie things you’re particularly proud of are better off writing a blog post and then tweeting a link

Basics

  • hexadecimal encoding
    • hex uses a base of 16 and escape is prefixed with an “x”
    • only lowercase x works,
      • capital X won’t be treated as a hex escape
      • js engine processes the string as a literal X
    • works only within strings;
    • will not work as identifiers
      • hex escapes aren’t allowed
'\x61' //a
"\x61" //a
`\x61` //a

function a(){}
\x61() //syntax error
  • unicode
    • also work in strings but allowed in identifiers too
      • no encoding invalid identifier characters outside of strings
    • 2 forms "\u" and \u{}
      • first allows characters within range 0x00FFFF and
      • latter specifies the entire range of unicode code points
      • must specify 4 hexadecimal characters ex.\x61 is not allowed and browsers will throw an exception
        • if allowed, it was a bug
'\u0061' //a
'\u0061' //a
`\u0061` //a

function a(){}
\u0061() // successfully calls the function


"\u0028" //(

var \u0028 //syntax error
  • specify unicode code points for the entire unicode range
    • same as standard unicode escapes except
      • not restricted to 4 hexadecimal characters
        • unlimited amount of zero padding and exclusion of zeros allowed
        • you can specify higher unicode characters such as 3134a
      • \u{} inside {} you specify a hex unicode code point
'\u{61}' //a
"\u{00000000061}" //a
`\u{0061}` //a

function a(){}
\u{61}() // successfully calls function
\u{3134a}=123 // unicode character "3134a" is allowed as a variable
  • octal
    • escapes using base 8
    • only used in strings
    • no prefix, just backslash \
    • number outside of octal range just returns the number (in non-strict mode)
    • common use in unix style permissions 7 octal digit in binary is 111 and from left to right the bits represents switches for rwx permissions
      • and 777 represents owner, group, others all have the 3 permissions
      • if you see 754
        • 111 for owner
        • 101 read and execute only (no write)
        • 100 read only (no write or execute)
'\141' // a
'\8' // 8 
'\9' // 9

"use strict"; 

const fs = require('fs'); 

// Set file permissions to read and write for the owner, and read-only for group and others 

fs.chmodSync('path/to/file', 0o644);

tldr;

  • hexadecimal
  • unicode
  • octal

eval and escapes

  • eval and eval-like functions
    • double escape or more for nested
  • eval works with strings so itll attempt to decode the input passed to it
    • so when js is executed, the engine sees the decode string, this allows us to break somme the rules defined earlier
      • rmbr how hex can only be used with strings
        • if you use eval, the hex will be decoded first and then executed which means the following is valid
        • eval('\x61=123') //a=123
eval('\\u0061=123')
//\u0061 = 123
//a = 123```

Explore the graph

Backlinks

  • No backlinks found