JS Judo.

Publicated on : 1212929972
I've known and used this for a very long time, and I am a bit amazed that not many people picked up on the concepts I will explain here. For some reason, I never talked about it on my website, but I did discuss it many times with close friends or developers from companies that ran high target websites. Basically this is the gentle way of cross site scripting and can be used to bypass code filters, regular expressions or any other kind of blacklisting methodology that searches for fixed and known XSS vectors. It involves the use of the resources already available. As in Judo, we will use the opponent's energy to defeat him. We could however use our own written attack vectors or attack libraries, but we don't have to. Judo: it is all about maximum-efficiency. And so, we can use the resources already available to us when we find a injection vulnerability. This could be complete AJAX libraries or other useful worm snippets and is particularly useful if you are dealing with stored XSS that has a limit on the actual characters you may submit to a database for example.



This ridiculous script is called into the MySpace page:



Myspace.com - documentwrite.js

1 function DocumentWrite( Html ) { document.write( Html ); }

We now have a pre-defined function we can call: DocumentWrite() which could bypass their own filter. This of course can be embedded c.q. submitted as our XSS payload like so for example:

[<[TAG] [SRC]="[FUNCTION]" [EVENT]="[FUNCTION]" [HREF]="[FUNCTION]" />][FUNCTION][</TAG>]

We now have a simple function which let us write new Javascript or HTML. Below here is a function grabbed from MySpace that can create an Iframe. Very useful, because that allows to insert prototyped Iframes which can distributed malware for instance.



Myspace.com - ifpc002.js

gadgets.IFramePool_.prototype.iframe = function(url) {
 


 

// Reject weird urls
 

if (!url.match(/^http[s]?:///)) {
 

return;
 

}
 


 

// We wrap this code in a setTimeout call to avoid tying the UI up too much
 

// with a series of repeated IFRAME creation calls.
 


 

var ifp = this;
 

window.setTimeout(function() {
 

var iframe = null;
 


 

// For MSIE, delete any iframes that are no longer being used. MSIE cannnot
 

// re-use the IFRAME because it will 'click' when we set the SRC.
 

// Other browsers scan the pool for a free iframe to re-use.
 

for (var i = ifp.pool_.length - 1; i >= 0; i--) {
 

var ifr = ifp.pool_[i];
 

if (ifr && !ifr.pool_locked) {
 

ifr.parentNode.removeChild(ifr);
 

if (window.ActiveXObject) { // MSIE
 

ifr = null;
 

ifp.pool_[i] = null;
 

ifp.pool_.splice(i,1); // Remove it from the array
 

} else {
 

ifr.pool_locked = true;
 

iframe = ifr;
 

break;
 

}
 

}
 

}
 


 

// If no iframe was found to re-use we create a new one
 

iframe = iframe ? iframe : ifp.createIFrame_(true);
 

iframe.src = url;
 

// We append to the body after setting the src otherwise MSIE will 'click'
 

document.body.appendChild(iframe);
 

}, 0);
 


 

};

Of course, all websites have their own js libraries. Youtube for example allows the creation of new flash player by simply calling a function. We only have to override the swfUrl with our own url and embed a malicious flash object.



Youtube.com - http://s.ytimg.com/yt/js/base_all_with_bidi-vfl42302.js

1473 function writeMoviePlayer(player_div,force){
 

1474 var v="7";
 

1475 if(force)
 

1476 v="0";
 

1477 var fo=new SWFObject(swfUrl,"movie_player","480","385",v,"#FFFFFF");
 

1478 fo.addParam("allowFullscreen","true");
 

1479 for(var x in swfArgs){
 

1480 fo.addVariable(x,swfArgs[x]);
 

1481 }
 

1482 if(watchGamUrl!=null){
 

1483 fo.addVariable("gam",watchGamUrl);
 

1484 }
 

1485 if(watchDCUrl!=null){
 

1486 fo.addVariable("ad_tag",watchDCUrl);
 

1487 }
 

1488 if(!watchIsPlayingAll){
 

1489 fo.addVariable("playnext",0);
 

1490 }
 

1491 if(watchSetWmode){
 

1492 fo.addParam("wmode","opaque");
 

1493 }
 

1494 if(ad_eurl){
 

1495 fo.addVariable("ad_eurl",ad_eurl);
 

1496 }
 

1497 fo.addVariable("enablejsapi",1);
 

1498 fo.addParam("AllowScriptAccess","always");
 

1499 player_written=fo.write(player_div);
 

1500 }

And another example of Amazon's function library:

196 <script language="Javascript1.1" type="text/javascript">
 

197 <!--
 

198 function amz_js_PopWin(url,name,options){
 

199 var ContextWindow = window.open(url,name,options);
 

200 ContextWindow.focus();
 

201 return false;
 

202 }
 

203 //-->
 

204 </script>

Amazon.com - general.js

55 function addHandler(element, type, callback) {
 

56 if (window.addEventListener) {
 

57 element.addEventListener(type, callback, false);
 

58 } else {
 

59 element.attachEvent("on" + type, callback);
 

60 }
 

61 }

Amazon.com - general.js

75 function getElem(elementID) {
 

76 return document.getElementById(elementID);
 

77 }

This gives us all the tools we need in order to perform malicious activities without needing our external libraries, or coding. We can just call these functions and attach our malicious data to it. This way we could evade worm detection and writing signatures this way for anti-virus software will become impossible. Because it uses the functions already utilized by the webpage itself.



If you didn't know that this was possible, you know it now.