Thursday 1 September 2016

Cool XSS Tricks with Anonymous Javascript Functions

I recently found a cross site scripting (XSS) bug in a web page, but it was in a very weird place. The page somehow did something with the current url, where the current url was placed in a definition of a function, but the function wasn't being called. I would love to post the vulnerable piece of code where I found the xss, but I'm unfortunately not allowed to do that. I'll discuss what I found and why it was interesting so hopefully you will keep reading.
Hopefully if you are interested in infosec, then you actually have the ability to code unlike what is shown in this blackhats comic:(From infosuck.org)

Back to the point I was trying to make, if you are even remotely interested in infosec, then you should have a good understanding and healthy interest in programming. In Javascript there is something called anonymous Javascript functions. Anonymous functions in Javascript have the ability to call themselves. In the context of the example I mentioned I was only able to inject javascript into where a function was being defined, but I was unable to call the function. So if I could define an anonymous function, then I could get the function to execute itself. What does this actually mean, well let's look at an example on JSFiddle.

(function() {
 alert('Hello World');
})();



As you might know, when it comes to xss, things are often not just that simple.  In the context of the example I found, I was unable to make use of a semicolon. No problem I can make it work without a semicolon. This is the equivalent code without the semicolon: (If you don't believe it works, then try the jsfiddle link)

(new Function(alert(0)))()


https://jsfiddle.net/ua66mxrt/

What if we could shorten the code even more. We can actually shorten the definition for a anonymous self executing javascript function:

(Function(alert(0)))()


Here is the link to the code on jsfiddle if you would like to try it:
https://jsfiddle.net/LtL54ryz/
How boring would it be if we could only show alert boxes showing '0' on a victim's computer. If you are a xss king then I suggest that you try taking the hook from BEEF (Browser Exploitation Framework) and embed it in the part of the function where the code for the function is defined and then use jsfuck to create an obscure piece of code to hook your victim. This can make for an interesting combination. I'm going to finish off with an interesting example payload in jsfuck just to show off what we just learned.  We define an anonymous function and then we just call confirm(document.domain), but the confirm part will be encoded with JSFuck(excuse my french).
This is a rundown of what the code looks like before I encode the confirm part:

(new Function(confirm(document.domain)))()



Here is what the end result looks like:

Here is the jsfiddle link if you want to try it:
https://jsfiddle.net/0gtvqwgp/







1 comment: