192877850 web application obfuscation

Page 105

90

CHAPTER 3 JavaScript and VBScript

same way as Unicode escapes. Hex escapes are only supported within strings and cannot be used as a reference to a variable or object. <script type¼"text/javascript"> eval('\x61lert(1)'); alert(0xFF); alert(/\x61/.test('a')) alert(+'0xFF'); </script>

Octal escapes JavaScript supports three forms of octal encoding. This is a common source of coding mistakes, because one way to represent octals is to use a zero prefix before a standard number literal, and in such cases, developers often think they are getting a decimal number when in fact they are receiving an octal (e.g., 0100 is 64, not 100). However, we can use this to our advantage for obfuscation, as the decoder or person reading the code will have to account for all forms of representing a number. Within strings, an octal is declared by escaping a number sequence which returns the character from the octal number: <script type¼"text/javascript"> eval('\141lert(1)'); alert(0377); alert(/\141/.test('a')) </script>

Combining encodings Now that you are aware of the various encodings/escapes in JavaScript, let us combine them to produce some obfuscated code. The following example will call alert(1) using all the techniques we have discussed thus far. This should help you to understand how to use each type of escape. <script type¼"text/javascript"> eval(RegExp('\x5c\x75\x30\x30\x36\x31').source+String.fromCharCode(0154)+'\\u00'+0x41+/\u0072/('\x72')+'\134u0074'+'(1)') </script>

In the preceding code, first we used the RegExp constructor to create our string. This allows us to use string escapes and regular expression escapes, as demonstrated in the “Unicode Escapes” section earlier in the chapter. The Unicode escape is performed and it converts a to \u0061. Then, because it’s a string, we can escape the Unicode escape, so \u0061 becomes \x5c\x75\x30\x30\x36\x31; this still represents the letter a. Next, source returns the text content of the RegExp, which results in \u0061. Then we use the octal escape 0154; the leading zero indicates an octal number, which is sent to String.fromCharCode as 108 when it is

Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.