• jSneak Proof-of-Concept

    by  • June 24, 2011 • Uncategorized


    Simple PoC of JavaScript delivery based on timed token. Page generated contains no JavaScript unless a valid token is supplied. 

    If the token is correct then the JavaScript source reference is added to the page which is then executed making an AJAX request back to the server for the true JavaScript payload.


    Proposed Use:

    Delivery of Javascript in a more obscure way. 


    1. Javascript does not need to be referenced on the initial load making the page appear normal.
    2. JavaScript snatcher is buried in jquery minified code and executed on load making it appear normal or less obvious.
    3. Payload deliver is injected into the page through basic DOM manipulation without refresh.
    4. DOM elements are capable of being deleted upon payload execution making them invisible on the live site.
    5. User is redirected upon payload execution making investigation annoying.


    1. Download the code.
    2. Replace HTML contents within index.php.
    3. Add a reference to the get_payload function variable at the end of the page load.
    4. Replace JavaScript functionality with desired payload.