 Like I said, my name is Prasanna. I work in the field of information security. I work for ThoughtWorks and my primary role is pen testing. We also run one of the security communities within Singapore called Null. It's a free open source meetup which people are free to come. It happens once a month, mostly focused on security. Right now more towards pen testing. But if someone wants to talk about hardware security, we would love something like that. We have zero knowledge and stuff like that. That was awesome stuff. I know there's JTAG but I don't know what JTAG is. Someone could really talk and that would be really useful. Something we could learn. This is a talk I had given some time back so I'm just going to repeat some of it. Some of the content I might choose to keep. Sometimes I might not want to do some of this. So mainly what I'm going to concentrate is JavaScript. What is Office Cation in JavaScript? Why do we need to Office Cate code and things around it and maybe a little bit of de-Office Cation? De-Office Cation, I can't show much on my machine here because most of the tools are window specific. I have not set up my environment today for a window specific one. I'll give you the tool names. You could use them. It's pretty plain. Click and use them. That's what they are and you can just download them. Point of advice there is if you go to the site, it's called Kahoo Security. Do things that they serve malware today and use them with your own risk. One more thing, when you work with Office Cated code, please do also understand it could be malware. Let me give you a small hint of what an Office Cated code looks like. This is a small part of an exploit that was developed. This was a challenge. Someone could break this and I was one of the guys who broke into it. I'll show you some of the steps around it. I'll share with you links. I can even share you the actual challenge itself. Someone is interested. Pick it up, spend some nights, break the whole thing out and it's fun. It's really fun. If you really think about it, it's actually a very, very simple function out there. It's going a little bit to the top just to show you what does it mean, Office Cation mean? Office Cation means hiding something in plain sight. Instead of the day, it has to make valid JavaScript. We cannot go away from it. I can't write something random out there and think that it's going to execute. That's not the point. So Office Cation means it has to be still valid JavaScript, but you do things a little different and that's what I'm going to be concentrating on. I'm sure most of you here know what is JavaScript. I'm not going to go too much into it, but I'm going to be going into JavaScript a little weird way. Everyone thinks, how do you define a variable? Let's start with that. Let's make it as interactive as possible. Sure, that's a very standard way. Can you believe that JavaScript, you can do it at least five different ways? And that's the beauty of it. The exploit is all about doing things a little different and that's what it is all. This is a very important thing that I wanted to discuss. Why do you need Office Cation? From a very security point of view, the reason we learn Office Cation is to break filters. So let's say today you have a .NET application and you try doing a cross-site sorting. It will immediately throw back an error saying that dangerous payload detected. So that means it's actually using a regular expression, seeing your content and seeing how it works with it. In fact, this is one of the ways it's filtered. Everyone has one of them. Today you write a Rails app. It has its own set of rules and there are multiple ways that these guys do it. Our job is to we still have to break it. Otherwise we don't get food at my table. So effectively we write Office Cation is to just to break those filters. How do you bypass those things? Let's say word eval. How do you write something which is not eval? You still have to send an eval and you have to if you learn, let's say you want to win the challenge or break it. An eval has to be there. But there is a program which is constantly looking for the word eval. How do you, so Office Cation is to send eval when it executes, when the interpreter is executing it, it will know it is an eval. But this program that is checking and verifying it would not think it's an eval. That's what the whole, why you do Office Cation in the whole part. Social engineering, most of the exploit packs have observation on it all the time. We've had a lot of people send malicious just to hack some of their friends. It is always mostly Office Cated. And most of the web exploits that you see today, you would definitely know that it's an Office Cated one. Cahoo Security has a lot of exploits that you could really go and play around with them. I could show you a few ways where you could play it with them safely. One would be definitely move it into a VM. And but VM also can be bypassed. So you want to be careful around them too. Not going to spend too much time here. This is just to give you an understanding of what JavaScript is. If someone didn't know what is JavaScript, there's a very plain JavaScript function there and why JavaScript is being used. But let's take some time and discuss this JavaScript strings. Like I asked variables, a string would have been x is equal to r, x is equal to within two codes. The first and second one are the ones that people use the most, isn't it? If you want to define a string, strings happen to be the most important component in Office Cation. The more ways you can create strings, you're going to be more fun in it. So if you look at the second one, sorry, the third one, this is basically a reg X expression. And what we are saying is you put a plus sign and put two comas, apostrophes at it are basically saying it's a string. Automatically the browser or in this case, whatever you're using it will convert it into a string. The reason I say whatever is who implements JavaScript? Sometimes the browsers and if you're using Node.js or someone that could be a V8 engine or whatever who's running it. So it's basically how JavaScript really works. So implementation could be different. One more point there around that is browsers also are different. So some of the functionality that works in one browser might not necessarily work on a different browser itself. Like I was, when I took this presentation today morning and I was reviewing through this whole thing, I realized some of the things don't work today. When I, so within six months, things are changing and the last I gave a presentation on this was around six months. And I'm like, whoa, this is not working. I would point it out, I'll show you which one wouldn't work. And this one, I am a string. This is a very interesting one. What it does is you have an array representation of the string, and when you put array accessor, so in this case, it's an array accessor. What it does is it automatically converts it into a string. The output of this is a string. So, and the other one is the one above it is again a regex. And it has a default one, which is dot source. If you really think of it, it's actually calling the same source property within itself, which is the operators. So I will run through these a little faster, then I'll show you some of the demos of what I've created and we can see them actually in working. So, how are operators useful is the way JavaScript works with them. So you might put some values around, put a lot of operators in front of it, even if it fails, the alert would still work, or an URL could still work. So sync tactically, even though it fails, maybe I'll just quickly show you this. So let's look at this. If you see the, is it clear? Can I make it a little bigger, maybe? Is this better now? So if you notice here, what I've done is right in front of the alert. So let's say there is a cross-site scripting filter, which is looking exactly for the word alert. Because most of the pen testers test with alert, but that's not the real point. And alert just gives a point that I can execute JavaScript. Most of the people don't understand that bit. If you notice the first, third line, I've added a bunch of numeric operators in front of it. What do you think? Will it work? Will it not work? The best was something like these. Look at this one. I'm doing a mathematical operation on it. Let's actually run this thing. First one, second one. You see this one? It's actually one. It worked. And if you would have gone to the console and then executed, you will actually see the errors pop up. Damn, I've opened this in a different window. Okay, sorry. I would give you the files, try it on your own, this one. You would actually see that there will be interpretation errors. It will say that, hey, I tried dividing it with an string, it doesn't seem to work. But it will still execute. That's the beauty of it. That's how JavaScript has been built. Moving forward. Comments, there are standard ones, your slashes and multi ones. I'm not gonna spend too much time there. This is another very interesting thing. It actually supports multiple encoding. You could actually have different, and the best part is you could mix them up. You could say, A, put it in Unicode, L, you put it in Hex, and E in Octel. Sure, go ahead. It allows you to do all those kinds of magic. So the reason why this is useful is, if you really think of it, when I'm building an exploit there, I would mix all of these things together so that some parts of it is gonna be in, so it's gonna be take time for you to decrypt, find out what is happening, and really, you should start thinking what is, how do you break it there? Okay, this is a challenge. And what do you think is this? There are actually two challenges. Gonna let you think this for a minute. What do you think is the output of this? The output is an object. It's actually the window object. It actually represents window. Imagine this here in a browser, and if I call this out as a window, you're effectively saying I can run any window functions that are there. But this only means it's a window object. To weaponize this, how would you weaponize this? How would you actually, if you really have to do this, how would you weaponize this? It only means window. Sure, but then how do I reference this? Either I have to put this, this x is equal to this, and then go ahead and say x dot, then only I can reference it out. If only this much is available to you, where do you reference this? If you say dot, you can't technically do all that, but it's as simple as putting a square brackets and putting whatever function you want inside. So eval is one of the functions. So you put a square bracket, put an eval there, it will effectively do this. This is one, another way of doing the same thing. If you notice this, there is a little bit of a difference. The first one, I used an object. In this, I did not use any object at all, object literal for specific to be exact. The other one is, if you really look at this one, there's a little bit of an obfuscation I have started in the second one. What do you think is, it's eval, it's actually eval. This answers the question, right? So someone is really looking for the word eval and you send something like this. No filter is gonna break for this today. They are all smarter than that. They would total do dynamic analysis and say that no way this is not going anywhere, but it would totally break at that level. Variables, there are some rules around it. It can be alphanumeric characters, numbers except in the first character. So it makes a lot of sense. So you just put a letter and put a bunch of numbers, underscores and dollars. Now, this is another way. The one that I told you will not work is the one above the last. It doesn't work today. Why? Because regular expressions cannot be functions anymore on browsers. It's effective. The second last one. The last one is a perfectly valid one. I'm sure you know the, it's a tertiary operator. So it's gonna basically say, what do you think is the output? If it's the last one. Actually, that's the one that's used by a lot of X is gonna become string. All of the other ones are pretty much similar representations. These are the ways that you could create variables. See, we generally know where X is equal to one. There are so many ways that you could create the same thing. The one that is here, this one, this doesn't work anymore. Because at least the browsers are calling it out saying that, hey, your regular expressions cannot be functions anymore. If you really think of it, it's actually a regular expression. Made it into a function and you're passing the value itself into it and it doesn't seem to accept that. The other ones are the built-in variables itself. The most important ones are your window, the document and stuff like that. But, okay, let's not go into this. Let's go back to my, this one and let me run through some of the, okay, let's look at this. This is a very interesting one. It's too big. You know what is happening here, right? You know that that's okay. Okay, fine. So the first one, I'm actually setting it as an object, as an object literal and setting that an object literal is being created, which has an object property with a value of 123. That's what it's set. The best part being is, the second one is you have an object and you're trying to access the value of the object itself, right? How would you access it? In real time, you would only say object literal, square bracket, object property. And the output would be 123. That's the expected one. But in the one that I have created here, the first one would work, the second one would fail. I'm only talking about these two lines. The first one is just a definition. So that has to be set. Both have one, two and three, right? Zero, one, two, three. That's the point. I would come to that a little bit. There is a reasoning why that, it is to break an idea. You generally think that object property should directly be after the square bracket itself. So think of it just as fillers. They have no real value to provide. Yes. Because the execution is the most right most. And the first one is the right most one is the one that will work. That is why it's object property. There's a small comma here. So it effectively, so when it looks at the right most one, it looks at four and looks at the object. I don't seem to have a four here and it'll throw out an error and defined. Which is what I told, right? It doesn't get the value and that's why it's undefined. This is also interesting. It's a similar one, but a little different in this. So the only difference here is it is one, two, three. And then the next one is a whole group by itself. That's the only difference there. So if you, yeah. So if you look at it, the one, two, three didn't have any reasoning to be there. So you have a filter that's looking for something you would still totally bypass. It's all about how do you make the system, beat the system. Let's look at the strings because this is a very important one. I'll have to, so if you remember, I had shown you the PPT I had put the values here. Let's execute them and see them the actual value execution. So it's a string. Second one is a proper string. But notice the first one, it came within the regular expressions itself. Third one is also a string. The fourth one is also a string. If you could just see all of them have valid string representations itself. And that's a very important component there. Multiline infix, I've shown you some of it. Let's look at some encoding and these are important. That's valid JavaScript. If you look at it, I've put this and this in Unicode. You could develop it, I think it'll work, but let's not look at that. This is the same one, but if you notice I've mixed up a few things. Last time I showed you that, how do I make a few? See, the most important one that I wanted to share is, so when you, these are all different, different concepts that are available. This is the fundamentals of what is available. So how you build things out of this is where the fun is. Sometimes it is fun in building it and most of the time my role is to break it. It is, you get a piece of code, then you have to reverse engineer it and see what is happening at that. So at that point of time, you have to understand how JavaScript really is and how it works and stuff like that. Okay, okay, I'm not gonna spend too much time here. Let's go back. Okay, after this, I wanna show something called, this, do you think this is JavaScript? I have seen people who make amazing stuff out of this. Way too much amazing stuff. That's actually valid JavaScript. Let's take a minute to create this. I don't, you're not having laptops otherwise I would have made you create a few. Normal array, zero, accessor. You remember, put an empty, it will automate. So if you notice this, you got my string. Sorry. What has effectively happened is, if you, if you can- It's literally representing NaNX. Yes. So what did we do? We, what I did was I created an empty array, made it access an empty array, did a mathematical calculation on it. It says, hey, how can I do a mathematical calculation on empty arrays? And it gives you out a NaN array. First it was a NaN object. Then when I, so if I add a plus square brackets to it, which is what I showed you that it will convert to a string immediately, which is what happened and it becomes a string by itself. So what do you, are you seeing where this is going? It says I can convert a string in a function and so on. Yes. So, but what am I really bringing up here? I'm building the actual JavaScript functions itself, right? What would come out of this? You can't, but what do you, what's the use of this? It's a string, correct? That is one definite thing there, but you could do something more on, with this. You could pick out things out of it, like the letter A is available for us now. Let's say someone is looking for the word alert and they've done everything. Then your only objective available in life is alpha numeric J S. It's pain, but this is how you do it. So I showed you how to create the NaN, right? So I'm gonna skip that one. I was actually gonna do this. See, this is a little bit different from what I had done there. So every time I've been thinking there is a little bit of a difference in how you create it, end of the day it has to come to what it is. Idea is create mathematical mistakes and use that. This was created by a gentleman called Oxotonix. The second number represents one. So if you take that, you've created something NaN there, it's a string. So it starts with zero, zero, one, two. You have one here. Make an array, put this value inside. It will evaluate it to be one. So the string, first value of the string A. So the output is going to be A. See that one? So I put all things in, so I've grouped it into a bracket. Then applied the one or it and you basically get A. Hey, where are the others? Unfortunately, I think it's hidden, but let me show you without this one here. So if you're going to try L, you have to create a false condition and pick out the L out of it. E is definitely there in false itself. How would you get R? Sorry? I would go with true. It's much easier. And T, that's E, R, T. Now, what you need to do is you need to build all of them together, plus them all together. So you will get one big mass of alert with it. Then you send it to an eval and you have a whole alert with you. As simple as that. To make sense, if you don't want to do this, there's a very interesting site. I didn't name this. It's called jsfuck.com. I don't know if I'm connected to internet. I'm not connected to internet, but you could go to jsfuck.com, put the word you want, and it would create the alphanumeric for you. It's a beautiful site. I love the site. But I explained it so that you know how it is really working. Yes, pretty monthly most of it. It's exactly doing the same job. If someone has an internet right now, you could just see and play with it and type it and see it creates. Thanks, Sega. It's pretty long. Pretty long combination of it. Yes, it is. Because you really have to take different operations, find the letters in them, and then go ahead and do it, right? Yes, for analysis. Yes. So alert is a mix of all of this. It starts from A plus L. This whole thing is a L. E, R, T. So you need to club all of them together and it creates alert, okay? Let me go a little into this one. This is an actual challenge that was there on... This is pretty old. I did this in 2011. There was a company called Breaking Point Systems. They've effectively been acquired by someone else now, Axia or someone like that. And they had to put up a very interesting challenge. This challenge is beautiful. We should take a minute to discuss this challenge itself. It was an sophisticated code and your job was to de-fascinate it, as simple as that to start with. But what it really turned out was a different way of exploitation itself. The beauty of this exploitation was, this is actually an exploit code. This is a frame, this was a old Firefox exploit. But in a web-based exploitation, how do you know which browser is coming? So in an exploitation, you basically set up a malware malicious website and you expect people to come and hit it. But you don't want to hit a Chrome browser with a Firefox exploit. So these guys had thought of a very interesting hack. It would take the user agent, find out what is the user agent that is coming in, and they had actually encrypted the exploit itself. If Firefox was the user agent, it would decrypt it and send the actual payload. For everyone else, nothing would happen. That's amazing. So the challenge was to really break it out. So I've just colored a little bit of things around here, picked out only a small bit. If you want, I'll share you the whole challenge and you could have fun breaking it. I can share my reading notes around it and you can pick it up. Let's see what actually happens here. Just the colored code. I'm just gonna take a minute to explain what it is done here. This is the simplest one. I'm being lazy to show, so I'm taking the simplest one. I've kept the tough one for you. So think of it, it's very simple. What it is really doing is, you take a string of character code, means the values are in hex, convert it, make it into an ASCII character. The output of it means it's an opera. If opera is equal to minus one, the result, what is the result is it returns this. The return is a key value. So you have to decrypt each one of those steps, find out which was the valid one. One giveaway right now for you, it's Firefox. That way I couldn't find out it's Firefox. So I had to decrypt each one, take the actual key, run the XOR and see if I'm getting the actual exploit or not. The answer on that was Firefox. So if you today want to concentrate only on the Firefox, but it will still work. Did that make sense? How do you, what? So it's a little laborious process. There are some automations that are there which I'll show you. Otherwise it's a pretty much manual work. There are people, I can try and share your blog. I chose the manual approach. There were some colleagues who had actually chosen an automated approach itself. And I can try and find to send out that blog out and you can read around how people have really done it. One very important thing that you really want to do in your browser is if you're doing an analysis, is change the window eval object to an alert. You know, that's a beauty of JavaScript. You can actually change the window eval. And next time eval wouldn't run. Alert would be. So what would happen is it'll alert this. So you could automate, so something could have, so think of it like this. It is probably doing some things and then creating an exploit out there for you. And you've changed it to the eval itself. What would happen in that scenario is it will become a normal thing and it will pop out as a message box by instead of executing it. This is a link that you could really go. Don't use your browser right now here. It has exploits. So use a careful browser to work with it. Don't get infected. You never know what is happening there. The tool that you may want to use is one is called Revello. The other one is called Malzilla. Unfortunately, is there an internet around here? Okay, I'll just put, it's okay. So the point is Malzilla is a web-based tool, sorry, a Windows-based tool. Paste it, choose different components around one or two and things around it and it probably will automatically make the conversions for you pretty much at the end of it. The other one, so to do, first question, one very important concept is your understanding of JavaScript. Not the plain JavaScript, but really understanding how much you can take the language to. And that's a very important one. The worst challenge. Sorry? The worst challenge. Most important in my mind is imagination. How interestingly can you create stuff? Okay, for people who are interested, let me just show you a few things around. So if you're interested in challenges, I could share these challenges. I thought someone would carry a laptop and they can do it here itself. That's okay. I can find. What do you think is happening here? 16 is comparing to each other. Yes. So it's gonna be four extra years. You will need a console. To really, if you really wanna break this, copy it each component, put it in your console and that's how you could really work with it. I can give you a little bit of it. It's actually a window. Yes. The first one is the window. Four levels three is... So what I would suggest is, copy it something like this. It does effectively only evaluate. It's just, the whole presentation, I was just showing you different ways of, you could really do things. So one way is like this and there are 100 ways to achieve the same thing. Yes, I see. Ha ha. So, I'm just trying to find the other challenge. Not to nine and then eight or about... Where's my actual challenge? I... Okay, I'm unable to find my challenge. The challenge, exact challenge that I showed you there. The exploit that is there. I have it here somewhere. Yeah, got it. That's your exploit to work with. Really think about it. This is all nothing but XOR'd exploit itself. You really don't need it. The first bit is what you really need. So what I would totally do is quick things. Quick wins are, I copy this into a text pad and do something like this. Start building quickly what all needs. So the manual approach is, find things that are quick to understand and make a quick understanding of what is happening in there and then go about building it. That's the... If someone is interested, I'll share this whole text file with you. You just break it down into... Sure, there are tools. So I use a very manual approach to do things but definitely there are people who have automated and that's exactly what I had shared. There are people who have done exactly using that way. The tools that are there, one that's very famous is Mozilla and he can basically build and do it. But the sad part is most of it is Windows-based and I'm not going to install Windows just to just kind of work anymore there. Go ahead, we can all... No, there is a lot of JavaScript ASD generators. No, because all these node preparsers like Vable and stuff, that's exactly what they can take. ES6 JavaScript, they generate a syntax, really. And then they parse part of it because they process it back into ES5 and compile it back up. Totally would work. It would be faster. So when I did a manual around this, this is two nights of sleepless work. Now when I do it, I think it's like, I could go tuk, tuk, tuk, tuk, tuk, but four years back I was, it's pain, you just do one by one and it taught me quite a few stuff around it. The best learning that came out of to me was the window object itself. How do you really get the window object? And that was a shocker. I've never heard of what is a value of function itself. You don't use that anywhere. Let's get C. But you don't have anything on eval. Yes. Let's get C is to use eval, it's very, very important in this book. Yes, eval, and that, actually if you see around, there is an eval in here somewhere. There is an eval. You can't really build anything valuable without an eval, but there are some very interesting ways. There are, do you know that a function constructor itself can play as an eval? You don't really need the word eval. The function constructor in JavaScript can be used to do eval itself. So I've not covered that bit in this session. The word eval itself can be covered in so many varieties of ways. Set timeout could do the similar job for you. So you could really, the beauty of it is the extensibility of the language itself. And the best part that a lot of people know about eval, but a lot of people don't know that function constructors can be eval. You really don't need to do things without eval itself. These are some of the amazing people who do work on this. Mario Hendrich and Gareth Hice, we need to be, they need to put a thanks to them. A lot of this work has been them. And that's it pretty much. And I have my email. If someone wants the challenge, I can forward it. Have fun and break it.