• If I were an attacker: Third-party JS libraries

    by  • January 17, 2011 • Uncategorized

    I was taking a look at a case today where the potentially malicious site had a bunch of JS that looked a little weird. As I was going through my files I notices thar jQuery was being used on the site and it got me thinking. You tend to see jQuery or other libraries show up on web pages to add a little bit of magic, but how often do you actually go look at the source of that file to verify it is in fact jQuery. Assuming I was an attacker and happened to be hosting a site, why not name your javascript payload the same thing as jQuery. You could take it a step further and minify your payload using something like Google’s closure compiler or a JS obfuscater. 

    Here is a small snippet from the jQuery file:

    /** jQuery JavaScript Library v1.3.2* Copyright 2010, John Resig, http://jquery.com/* Distributed in whole under the terms of the MIT license* http://www.opensource.org/licenses/mit-license.php * * Includes Sizzle.js* http://sizzlejs.com/* Copyright 2010, The Dojo Foundation* Released under the MIT, BSD, and GPL Licenses.*/(function(){var l=this,g,y=l.jQuery,p=l.$,o=l.jQuery=l.$=function(E,F){return new o.fn.init(E,F)},D=/^[^<]*(<(.|s)+>)[^>]*$|^#([w-]+)$/,f=/^.[^:#[.,]*$/;o.fn=o.prototype={init:function(E,H){E=E||document;if(E.nodeType){this[0]=E;this.length=1;this.context=E;return this}if(typeof E==="string"){var G=D.exec(E);if(G&&(G[1]||!H)){if(G[1]){E=o.clean([G[1]],H)}else{var I=document.getElementById(G[3]);if(I&&I.id!=G[3]){return o().find(E)}var F=o(I||[]);F.context=document;F.selector=E;return F}}else{return o(H).find(E)}}else{if(o.isFunction(E)){return o(document).ready(E)}}if(E.selector&&E.context

    I would just take the comments portion, run my payload through closure, check to make sure it works and done. Certainly not going to fool everyone, but you are hiding in plain site and I am sure a lot of people will just pass over it at first glance. The only issues I see is making calls to functions and having that obfuscated, but that is for someone else to worry about.