Today, I want to introduce an intriguing topic I’ve recently started studying: polymorphic JavaScript execution payloads for Cross-Site Scripting (XSS) attacks. This advanced technique can help bypass Web Application Firewalls (WAFs) and various filters, making it an invaluable tool for our bug bounty hunts and penetration tests. By understanding and applying polymorphism in our payloads, we can enhance our ability to exploit vulnerabilities more effectively and evade defensive mechanisms. This knowledge is essential for anyone looking to stay ahead in the ever-evolving landscape of web security.
The term polymorphism originates from Greek and means “many forms.”
JSFuck is an esoteric and educational programming style based on the atomic parts of JavaScript. It uniquely utilizes only six different characters to write and execute code: [ ] ( ) ! +. This minimalist approach not only highlights the flexibility and power of JavaScript but also serves as an intriguing challenge for developers.
One of the remarkable features of JSFuck is its independence from the browser environment. This means you can run JSFuck code in Node.js, broadening its applications beyond traditional web contexts. Whether you are exploring the depths of JavaScript’s capabilities or looking for unconventional ways to obfuscate code, JSFuck offers a fascinating avenue for both learning and experimentation.
An example of using JSFuck is the following payload, where all characters after “onerror” correspond to the JavaScript code alert(1).
To test the payload, a site by Brutelogic was used, which allows for testing Cross-Site Scripting (XSS) payloads.
In the user field, we inserted the payload.
Payload Injection
Reflection in the code
AUREBESH.JS
Aurebesh Site Translator
In this instance, we present an advanced XSS payload that utilizes an SVG element’s onload attribute. This payload dynamically constructs JavaScript code and employs variable names and characters to obscure its true intent.
Aurebesh.js, created by Martin Kleppe (@aemkei), translates JavaScript into various other writing systems. For this example, we constructed a payload by converting the word “alert” using Aurebesh.js.
Payload Injection
Reflection in the code
This payload utilizes the encoded version of alert(1) to execute JavaScript in the onload event of an SVG element, demonstrating how Aurebesh.js can obfuscate code to bypass filters.
Hebrew
Here, we present an advanced XSS payload that utilizes Hebrew characters for obfuscation. By substituting standard Latin characters with visually similar Hebrew characters, we create a polymorphic script that can bypass many traditional security filters.
Payload Injection
Character Substitution: The script uses Hebrew characters to replace standard Latin characters, such as א instead of a, ב instead of b, and so on. This substitution makes the payload less recognizable to pattern-matching filters.
Const
In this example, we explore a sophisticated XSS payload that leverages polymorphism through the obfuscation of the const keyword.
Character Substitution: The script uses characters that look similar but are different, such as ο (Greek omicron) instead of o, and ѕ (Cyrillic small letter es) instead of s. This helps in evading pattern-matching filters.
Payload Injection
Reflection in the code
Katakana
In this example, we introduce an advanced XSS payload that employs Katakana characters for obfuscation. This method involves substituting standard characters with visually similar Katakana characters, creating a polymorphic script that can slip past many traditional security defenses.
Character Substitution: The script uses Katakana characters to replace standard Latin characters. For example, ウ is used instead of u, ア instead of a, and so forth. This substitution makes the payload less recognizable to pattern-matching filters.
Payload Injection
Reflection in the code
Filler
In this context, we unveil an advanced XSS payload named “filler” that utilizes Unicode characters for obfuscation.
Unicode Characters: The payload uses Unicode characters that resemble ASCII characters. This makes it difficult for pattern-matching filters to recognize malicious patterns.
Dynamic Variable Naming: The variables are named using Unicode characters, making them appear unusual and hard to detect.
Dynamic Code Generation: The payload constructs the JavaScript code dynamically, which is a technique used to further obfuscate the actual functionality.
Complex Obfuscation: The payload continues to build complexity by using operations and concatenations that are not straightforward.
Payload Injection
Reflection in the code
Hieroglyph
The last method of polymorphic payload that I will present is based on Hieroglyph characters.
Initialization:
𓅂=’’: Initializes 𓅂 to an empty string.
𓂀=!𓅂+𓅂: Sets 𓂀 to false (negation of an empty string is true, but adding an empty string results in false).
𓁄=!𓂀+𓅂: Sets 𓁄 to true (negation of false is true, and adding an empty string does not change it).
Dynamic Code Construction:
𓊎=𓅂+%7B%7D: Concatenates 𓅂 with an empty object (%7B%7D is {} URL-encoded).
𓆣=𓂀[𓅂++]: Uses 𓆣 to store a character from 𓂀 at the incremented index of 𓅂.
𓊝=𓂀[𓇎=𓅂]: Sets 𓊝 to the value in 𓂀 at index 𓇎 which is assigned to 𓅂.
Complex Obfuscation:
𓏢=++𓇎+𓅂: Increments 𓇎 and concatenates it with 𓅂, storing the result in 𓏢.
𓆗=𓊎[𓇎+𓏢]: Sets 𓆗 to the value in 𓊎 at index 𓇎 + 𓏢.
Further Obfuscation and Execution:
𓂀[𓆗+=𓊎[𓅂]+(𓂀.𓁄+𓊎)[𓅂]+𓁄[𓏢]+𓆣+𓊝+𓂀[𓇎]+𓆗+𓆣+𓊎[𓅂]+𓊝][𓆗]: Dynamically constructs the index and value for 𓆗.
(𓁄[𓅂]+𓁄[𓇎]+𓂀[𓏢]+𓊝+𓆣+’%60𓅂%60’)%60%60: Constructs the final code string, then executes it.
Payload Injection
Reflection in the code
All these payloads were created based on the content from @aem1k’s website: https://aem1k.com/.
That’s it for today, hackers. Thank you for reading my post. I hope to see you in the next one. Hack the world!
From Broken Object Level Authorization(BOLA) to the Massive Financial Attack
Hey everyone, today we’re going to talk about how web applications can be affected by a Broken Object Level Authorization (BOLA) vulnerability, and I’m also going to give you an exploit case example.