Alkahest my heroes have always died at the end

August 14, 2006

things that make a security officer cry

Filed under: Security,Technical — cec @ 3:33 pm

I spent a lot of time last week looking at an application in order to assess its security. The thing that was troubling me was that this is a web application and the primary form for data entry was defined like:

form name=”foo” method=”post” action=””

This means that the nothing happens when you hit submit on the form – at least not in the html world. So, I took a closer look and found that each of the buttons (submit and clear) actually had a field “onclick=’doSomething();’” attribute.

Okay, so we’re dealing with javascript. I can handle that. I grab the included javascript file and realize that I’m dealing with something exceedingly strange. The whole script is one line long and contains very little valid javascript. Instead it contains what looks like a brief function, a ton of line noise and a bunch of words at the end that are delimited with pipes (|).

Since it’s my job to be paranoid, I think, “ah ha! someone has something they’re trying to hide.” It takes me a bit, but I realize that the java script is actually an eval function with a number of arguments. Poking at the arguments, I realize that one is the line noise, one is 62, one is an array of words and one is the number of items in that array. The code at the beginning basically unparses the whole thing. It breaks the line noise into tokens. The tokens are indicies into the array in base 62! Base 62 b/c you can use numbers and upper and lower case letters for each digit.

The code takes all of the tokens and replaces them with the word in the right position. It then runs an eval() of the whole thing. Armed with this, I alert() on the final command, only to find that the whole thing is a fairly simple client side validation and Ajax based POST. There’s absolutely nothing sensitive there!

*sigh*

Update:  spoke to the developer.  This wasn’t an attempt at obfuscation, it was actually a test of a program he downloaded that is supposed to be a javascript accelerator.  It accelerates by creating a smaller version of your javascript so it downloads faster!  Never mind that it then takes 5 seconds to unpack the stupid thing.  🙁

1 Comment

  1. Some days are just like that.
    *sigh*

    Comment by Bettejean Cramer — August 14, 2006 @ 5:37 pm

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress