2. JAVASCRIPT INTRODUCTION
• Cement of the internet (personal thought)
• De-facto language for web
• Birth @ Netscape
• Born as “Mocha”
• Object oriented
http://en.wikipedia.org/wiki/JavaScript

3. AGENDA
• DOM XSS
• CORS
• JSON Hijacking
• POST Message
• JavaScript Obfuscation
(+[] [+[]]+[])[++[[]][+[]]]+([![]]+[]) [++[++[[]][+[]]][+[]]]+([!![]]+[] )[++[++[++[[]][+[]]][+[]]]
[+[]]]+([!![]]+[])[++[[]][+[]]]+([!![]]+[]) [+[]]  This is not child drawing it is code 

4. DOM XSS
• Similarity with stored and Reflected XSS is it also results due to DOM
Modification
• The difference is in how it is triggered
• Server might never see the payload
Keywords : Source Filter Sink
Source – Sink  Failure
Source – Filter – Sink  Perfect
https://www.owasp.org/index.php/DOM_Based_XSS
https://www.owasp.org/index.php/DOM_based_XSS_Prevention
_Cheat_Sheet

6. CORS – CROSS ORIGIN RESOURCE SHARING
As per the HTTP standards one domain cannot communicate with other.
But in some
cases there might be a need for applications to talk to each other which is
were CORS
comes into play. CORS allows domains to speak to each other
For CORS to work browser asks the server for permission by method of
pre-flight, the
server responds with actions it would support, the client then proceeds
with the
request
Request Header: Origin: http://yourapplication.com
Server Response: Access-Control-Allow-Origin: *

7. JSON HIJACKING (JSONP)
• Cross Domain JSON sniffing.
• Jsonp (JSON Padding) was created to communicate cross domain.
• The JSON response is encapsulated in a function.
• Malicious site could create a similar function call and get the contents
of the JSON
• The contact stealing attack of Jermiah grossman in gmail is a example
of Json
• Hijacking
• Google uses while(1){XXXX} now in JSON which precedes the JSON.

9. POST MESSAGE
“ inner = document.getElementById("inner").contentWindow;
inner.postMessage(document.getElementById("val").value, "*"); ”
postMessage allows cross domain communication.
One of the major flaw is fact that the receiver needs to verify if
communication was
for him before using it.
PostMessage expects a target to given but supports a wildcard. Which can
be abused
Input validation issues could lead to XSS
https://developer.mozilla.org/en-
US/docs/Web/API/Window.postMessage
http://www.cs.utexas.edu/~shmat/shmat_ndss13postman.pdf

11. JAVASCRIPT OBFUSCATION
Art of Hiding data in plain text
Why obfuscation
• Bypass WAF’s, filters
• Decrypt Exploit Packs
• Bypass filters (in-house and commercial)
• hide implementation details
• Social engineering payloads

12. Creatinga JavaScriptSnippetWithoutanyAlphanumericcharacters
(+[][+[]]+[])[++[[]][+[]]] = “a”
Detailedsteps:
1. +[]=0
2. [+[]]=0inside objectaccessor
3. [][+[]]=Createa blankArray withtrying to0whichcreateserror
‘undefined’
ALPHA NUMERICJS

13. 4. +[][+[]] =We useinfixoperator+ toperform a mathematical
operationonresultofpreviousoperationwhichresultsa error NaN
(Not a Number)
We nowhaveto extractthemiddle‘a’ fromtheresult:
1. +[][+[]]+[]=Nan instring
2.++[[]][+[]]=1(quirkbyoxotonick)
3.(+[][+[]]+[])[++[[]][+[]]]=‘a’
J A V A S C R I P T : A T T A C K & D E F E N S E
ALPHA NUMERICJS

14. Lets Trying ‘l’
We can find l in “false”
Fact ‘’==0 will be true opp of this is false
([![]]+[]) == “false”
++[++[[]][+[]]][+[]] Use previous quirk to
get 2
Combine them to create ‘l’
([![]]+[]) [++[++[[]][+[]]][+[]]] == l
J A V A S C R I P T : A T T A C K & D E F E N S E
ALPHA NUMERICJS

15. DEMO
(+[] [+[]]+[])[++[[]][+[]]]+([![]]+[])
[++[++[[]][+[]]][+[]]]+([!![]]+[]
)[++[++[++[[]][+[]]][+[]]]
[+[]]]+([!![]]+[])[++[[]][+[]]]+([!![]]+[]) [+[]]
“alert”

16. {“Email”,”shifu@thoughtworks.com”}