Similarly, tabs and spaces can be used as a primitive form of binary. A simple decoder function will allow you to generate entire Javascript programs using only whitespace.
Javascript obfuscation can get really nasty. For those interested in pursuing the issue further, I recommend checking out Caffeine Monkey [1], an automated tool for analyzing and classifying Javascript. The paper [2] gives a good overview of Javascript obfuscation techniques and the implementation of the tool.
One notable thing about Caffeine Monkey is that it attempts to do behavioral analysis instead of signature-based analysis, thereby reducing the effectiveness of obfuscation.
To start, you need to know that JavaScript has type coercion. Numbers can become strings, strings can become numbers, and arrays can become strings.
Thus, for example: [] in a string context becomes "". "" in a number context becomes 0. Thus if we were to do: "" - 1 we'd get the number -1. Additionally if we were to do [] - 1 we'd get -1. ++ is also able to coerce a string into a number.
If ++ is able to turn a string into a number then you're probably wondering why they just don't do ++[] and be done with it (to get 1, that is). The problem is that ++ is attempting to assign that resulting value back somewhere and since [] doesn't exist anywhere yet (it's temporary) it throws an error instead.
We could do something like this:
var a = [];
++a; // 1
But we can't actually assign the result to a variable because we can't use alphanumeric characters. So what's another way in which we can assign the results to a variable? We can stick it into an array.
var a = [ [] ];
++a[ 0 ]; // 1
This also works:
++[ [] ][ 0 ];
Now, we can't use 0 because it's alphanumeric so we swap 0 for +[] (+ turns the string "" into the number 0, [] turns into the string ""). Thus we get the final result:
The explanation of why ++[] throws error is actually incorrect. This has nothing to do with "existence" of [] (I'm not even sure what existence could mean here). Rather, it's the way ++ operator works.
++ requires its operand to evaluate to a _reference_, not a _value_. If operand evaluates to a value, a ReferenceError is thrown (well, actually it is internal PutValue method that throws error, but that's irrelevant here). Now, if we were to pass reference to ++ operator, it would "work" as expected. E.g.:
++({ x: 1 }).x;
In this case, `({ x: 1 }).x` is a reference, it evaluates to 1, and is then increased by 1 to produce 2 as a resulting value.
When you said "this also works" with `++[ [] ][ 0 ]` example, what happened is that `[ [] ][ 0 ]` evaluated to a reference too, and returned a value of array (inner one). The fact that something like ++[[]][0] "works" should already hint at the fact that "existence" of an object is a bogus reasoning ;)
So what we really need to understand here (besides type coercion) is the notion of references. Literals, for example, always evaluate to values: 1, "foo", true, ({ x: 1 }), and [] are all values. Expressions involving property accessors, on the other hand — foo.bar, [1][0], ({ x: 1 }).x — are all references.
Understanding this distinction can also help explain other aspects of Javascript, such as, say, simple assignments, where left hand operand is constrained by the same rules as ++ operator; it should always evaluate to a reference:
1 = 1; // ReferenceError, LHS operand is not a reference
null = 1; // ReferenceError, LHS operand is not a reference
// but
({ x: 1 }).x = 1; // works as expected, LHS operand is a reference
x = 1; // works as expected, LHS operand is a reference
FWIW, it is the same internal PutValue method that's invoked by `=` operator, and is why assignment to non-reference values result in an error.
"This has nothing to do with 'existence' of [] (I'm not even sure what existence could mean here)."
Ah sorry, I was referring to the fact that the array was already created and within another object that we were referencing. But yeah, thanks for your more-in-depth explanation!
In the context of a stored XSS attack^ it is used to avoid signature based detection. Think about malicious Javascript as a virus. Current virus scanners search for signatures within programs^^ to determine whether a program is a virus or not. Signatures are unique strings^^^ that identify a program. If you can encode your virus as a bunch of symbols, you can avoid detection by automated scanners. Then, once a user loads the page, the decoder function gets called and the malicious Javascript gets executed.
Of course, a signature could be generated for the decoder function. As is common in many areas of the security industry, signature based detection is an arms race. Obstrufication is one method the attackers use.
In the context of a reflected XSS^^^^ obstrufication simply makes it less obvious there is an embedded script.
-
^ Javascript permanently stored on the vulnerable host's server.
^^ They also use other methods too, but signature based detection has been the primary method used by anti-virus since the industry started.
^^^ In practice they are not unique.
^^^^ Javascript embedded in a link to a site. User clicks on link and Javascript gets executed in the context of the vulnerable host.
A lot of people do input validation by disallowing 'bad' characters.
The idea is to stop people buying JavaScript in comments, as that would be bad. Just strip enough characters that you can't do functions and everything will be...
...oops. Hope you remembered to filter out + and [] as well! Never mind, now all your visitors are automatically posting/up-voting spam comments or something similar. Better luck next time.
Captain Obvious here again. Doesn't all this go away if you use Javascript to inject untrusted text directly into the DOM rather than rendering it as HTML which is then interpreted by the browser?
And if so, it seems to me that there's a fairly obvious way to build that directly into templating engines and meta-languages like HAML.
That would work, but with the downside of lowering the accessibility of your site. Not everyone has JavaScript enabled, and so dynamic insertion of text wouldn't be accommodating to them.
That's true for people that don't need alternate browsers. It's like, "why build wheelchair ramps outside of businesses when 99.99% of people are able to walk up steps?"
it is basically various ways of making javascript return things like "NaN", "undefined", or "false", and then using a numbered index to return a particular character of that word after it is converted to a string.
so "NaN"[1] would be "a". "false"[0] would be "f".
since they are trying to do it without numbers, they can create them using things like "++[[]][+[]]" which returns a 1. by adding up different numbers you can get the digits you need.
The part in parentheses calls Array.sort with an undefined this object, defaulting it to window. Array.sort returns this after it's done. Global functions like eval are stored on window, so you end up with window.eval.
Because [] doesn't have a 'call' attribute, but does have 'sort' attribute (remember that Javascript has a funky object notation, which is why people have to do elaborate dances to iterate over objects), and because the 'sort' attribute of [] itself is an object with a 'call' attribute.
Not sure, but at first glance it seems to evoke results like "undefined" or "NaN", and cast them to a String. The trickier part might be creating the index into the String.
Hello World example - CopyPaste this in your address bar: javascript:alert:(([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]])([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(![]+[])[+!+[]]](+[]+(!![]+[])[+[]])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+!+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[+!+[]+[!+[]+!+[]+!+[]]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([][[]]+[])[!+[]+!+[]]+[][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]]((+(+!+[]+(!+[]+[])[!+[]+!+[]+!+[]]+[+!+[]]+[+[]]+[+[]]+[+[]])+[])[+[]]+(![]+[])[+[]])[+[]]))
Javascript obfuscation can get really nasty. For those interested in pursuing the issue further, I recommend checking out Caffeine Monkey [1], an automated tool for analyzing and classifying Javascript. The paper [2] gives a good overview of Javascript obfuscation techniques and the implementation of the tool.
One notable thing about Caffeine Monkey is that it attempts to do behavioral analysis instead of signature-based analysis, thereby reducing the effectiveness of obfuscation.
[1] http://www.secureworks.com/research/tools/caffeinemonkey.htm...
[2] https://www.blackhat.com/presentations/bh-usa-07/Feinstein_a...