Attacking JavaScript protection (Bypass it like a breeze!)
Let's learn some great tricks during this f*cking pandemic! Yeeeeeehaaaa let's jump in!
JavaScript is one of the most popular languages used in websites. Because of this popularity, you can find a wide variety of JavaScript usage examples. Of these, the most meaningless are:
JavaScript protection of part or all of the content
JavaScript data verification without server-side validation
JavaScript access control
By creating a website, it is necessary to proceed from the fact that any data received from any user is unreliable and JavaScript cannot guarantee anything. I really mean it with ANYTHING!
To demonstrate the vulnerability of JavaScript, we will bypass the protection in Damn Vulnerable Web Application (DVWA). To install DVWA on your computer.
First and foremost we will introduce you to some naked facts! 😂
1. Any part of the web page and JavaScript can be randomly changed by the user
So, let’s set the low security level in DVWA (in the DVWA Security tab) and go to the “JavaScript Attacks” page and see the following there:
As a task, we need to pass the word “success” through the form on the site. Let’s try: we enter “success” and Sumbit. We get the error “Invalid token.”:
Open the source code of the page.
Between the <script></script> tags there is the following:
I can only understand the following lines:
As well look at the form being used to send the word “success”:
In the generate_token() function in the first line “phrase” variable is assigned. It got the value that has the field with the “phrase” id in the form. Then, in the second line of the considered function, the value of the phrase variable is processed by two functions and their value is assigned to the element with “token” id.
Outside the function, there is a call code for this function:
generate_token();
This call is not tied to any event (for example, form submission) or condition. This means that when the page is open in our browser, the generate_token() function has already been executed, that is, the token value for the “ChangeMe” string has already been calculated and assigned to the input field with the “token” id. For this reason, when we change the value of the “phrase” input field, it does not coincide with the token, which is what we get the message about.
It turns out that the only way to cope with the task is to change the value of the phrase field from “ChangeMe” to “success” before opening it in a web browser.
But the BIG question is: How?
This can be done in Burp Suite, which, among other things, can change the contents of any part (headers and body of requests and responses) of HTTP on the fly.
But I will show you a completely “childish” method, which I used from the first years of the appearance of my computer, for this method no tools are needed at all.
The essence is elementary: we save the page to our computer, open it with an editor (any text or HTML code editor), make the necessary changes, open this page in the browser and submit it!
We save (the name I chose is shorter, otherwise there may be problems due to special characters):
Open the *.html file and find the form:
As you can see, it has changed, namely, the value is assigned to the token field, apparently, this was done by the browser when saving:
So, firstly, change “ChangeMe” to “success”.
Secondly, this form has no “action” attribute. The attribute “action” specifies the page where the data is submitted. If the attribute is absent (this is allowed), then the data is sent to the same address where the page with the form is located. This worked fine when the page had the http://localhost/dvwa/vulnerabilities/javascript/ address.
But when I open my saved file, it will have address something like file:///home/mial/Загрузки/1.html and the browser will try to send data from the form to the address file:///home/mial/Загрузки/1.html. But we need to send data to the server.
Therefore, we add the “action” attribute to the form and specify the address where the data should go (in our case, the source address of the form): action="http://localhost/dvwa/vulnerabilities/javascript/"
Sometimes the page may already have “action” set, but the address is indicated as a relative path – in this case, again, submitting the form will not work as we need. To fix, just specify the absolute path to the page on the target site.
Thirdly, as I mentioned, when saving the page, the browser entered the token value – we remove it (although, logically, this is not necessary, since the new value will be calculated and assigned after the page is opened).
So, we got the following form:
I save it and open the file in the browser:
I click the “Submit” button:
Pay attention to the page address – we are back on the server. At the same time, we received the message “Well done!” - that is, the task is completed. In such a simple way, we circumvented JavaScript protection and we didn’t even have to understand complex token calculation algorithms – it was enough to make a small change at the reference point!
TRADEMARK LEGAL NOTICE
All product names, logos, and brands are the property of their respective owners in Austria or other countries. All company, product and service names used on this website are for identification purposes only. Pheniix is not affiliated with or an official partner of Cisco, CompTIA,Dimension Data, VMware, Amazon, Microsoft, Certified Ethical Hacker, (ISC)², Juniper, Wireshark, Offensive Security,Google, GNS3, F5, Python, Linux, Java, OpenStack, Vagrant, Ansible, Docker, GIT, , Blockchain or other companies. Use of these names, logos, and brands does not imply endorsement. The opinions expressed on pheniix are personal perspectives and not those of Cisco, Dimension Data or any other company. Pheniix runs as an independent blog.
#Java #Javaprotection #Hack #IPSEC #SecurityCenter #InfoSec #ASASecurityDeviceManagerASDM #CCNASecurity #NationalCyberSecurityAwarenessMonth #Cybersecurity #CloudSecurity #Security #security #NationalSecurityAgencyNSA #IBMSecurity #CiscoSecurity #cybersecurity #securityflaw #CyberSecurity #Encyption #Cybercrime #cyberwar #CCNACyberOps #CCNA #CCNP #CCIE #CISSP #CCSI