Nick Guo, Ulysses Wang JavaScript De-Obfuscation Engine -- JDOE.

Slides:

Advertisements

Similar presentations

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

Advertisements

Java Script Session1 INTRODUCTION.

Client side performance in Web based Banking applications Divakar Prabhu Infosys Limited (NASDAQ: INFY)

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,

An Evaluation of the Google Chrome Extension Security Architecture

JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***

Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.

Nick Guo, Ulysses Wang JavaScript 難読化解析エンジン – JDOE JavaScript の難読化解読を自動化する新しいアプローチ.

MSc. Publishing on WWW JavaScript. What is JavaScript? A scripting language devised by Netscape Adds functionality to web pages by: Embedding code into.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.

It’s always better live. MSDN Events Developing ASP.NET AJAX Controls with Silverlight.

Selenium – Testing Tool. What is Selenium? Selenium is a robust set of tools that supports rapid development of test automation for web-based applications.

ITM352 Javascript and Dynamic Web Pages: Client Side Processing.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

4.1 JavaScript Introduction

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

JavaScript & jQuery the missing manual Chapter 11

WaveMaker Visual AJAX Studio 4.0 Training Troubleshooting.

JavaScript Teppo Räisänen LIIKE/OAMK HTML, CSS, JavaScript HTML defines the structure CSS defines the layout JavaScript is used for scripting It.

CS346 - Javascript 1, 21 Module 1 Introduction to JavaScript CS346.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

Server-side Scripting Powering the webs favourite services.

AJAX Without the “J” George Lawniczak. What is Ajax?

CNIT 133 Interactive Web Pags – JavaScript and AJAX JavaScript Environment.

Mr. Rouda’s CSCI 101 sections. What does a web page consist of? Code HTML, CSS, XHTML, XML, etc. Images Gif, jpg, png, etc. Plugins Swf, flv, etc. JavaScript.

1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.

DEV-5: Introduction to WebSpeed ® Stephen Ferguson Sr. Training Program Manager.

INTRODUCTION TO JAVASCRIPT AND DOM Internet Engineering Spring 2012.

Cross Site Integration “mashups” cross site scripting.

Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,

Don't Let Third Parties Slow You Down Arvind Jain, Michael Kleber Google.

Introduction to Client Side Scripting CS Client Side Scripting Client side means the Browser is interpreting the script Script is downloaded with.

Selenium and Selenium on Rails. Agenda  Overview of Selenium Simple Selenium Tests Selenium IDE  Overview of Selenium on Rails  Problems with Selenium.

Module 7: Advanced Application and Web Filtering.

PERFORMANCE ENHANCEMENT IN ASP.NET By Hassan Tariq Session #1.

AFTERCOLLEGE SELF- SERVICE SCRAPE CONFIGURATION AND POSTING UTILITY Kai Hu Haiyan Wu March 17, Cowell 416 Midterm Presentation.

CISC 3140 (CIS 20.2) Design & Implementation of Software Application II Instructor : M. Meyer Address: Course Page:

Introduction to Taverna Online and Interaction service Aleksandra Pawlik University of Manchester.

Ajax for Dynamic Web Development Gregory McChesney.

Plug-in Architectures Presented by Truc Nguyen. What’s a plug-in? “a type of program that tightly integrates with a larger application to add a special.

ICM – API Server & Forms Gary Ratcliffe.

Trevor Jim Nikhil Swamy Michael Hicks Defeating Script Injection Attacks with Browser-Enforced Embedded Policies Jason FroehlichSeptember 24, 2008.

 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.

Web Authoring with Dreamweaver. Unit Objectives  Be able to define keywords: HTML, HTTP (protocol), browser, web server, client/server, tag, attribute,

Writing secure Flex applications  MXML tags with security restrictions  Disabling viewSourceURL  Remove sensitive information from SWF files  Input.

Web Technology (NCS-504) Prepared By Mr. Abhishek Kesharwani Assistant Professor,UCER Naini,Allahabad.

 AJAX technology  Rich User Experience  Characteristics  Real live examples  JavaScript and AJAX  Web application workflow model – synchronous vs.

Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Paper By : V.T.Lam, S.Antonatos, P.Akritidis, K.G.Anagnostakis Conference : ACM.

JavaScript and Ajax (JavaScript Environment) Week 6 Web site:

Introduction to ASP.NET development. Background ASP released in 1996 ASP supported for a minimum 10 years from Windows 8 release ASP.Net 1.0 released.

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

Basics Components of Web Design & Development Basics, Components, Design and Development.

“New security software vendors are coming into the marketplace offering solutions that provide support to the development environment. Example vendors.

An Introduction to Web Application Security

Essential tools for implementing and testing websites

Selenium and Selenium on Rails

Chrome Developer Tools

ADVANCED PERSISTENT THREATS (APTs) - Simulation

By mohamed saher and ahmed garhy

Node.Js Server Side Javascript

Challenges in Network Troubleshooting In big scale networks, when an issue like latency or packet drops occur its very hard sometimes to pinpoint.

Web Browser server client 3-Tier Architecture Apache web server PHP

Chengyu Sun California State University, Los Angeles

An Introduction to JavaScript

CNIT 133 Interactive Web Pags – JavaScript and AJAX

Lecture 34: Testing II April 24, 2017 Selenium testing script 7/7/2019

Exploring DOM-Based Cross Site Attacks

DIBBs Brown Dog BDFiddle

Presentation transcript:

Nick Guo, Ulysses Wang JavaScript De-Obfuscation Engine -- JDOE

Obfuscation Introduction Anti de-obfuscation Browser Knowledge Current Solution JDOE Demo Challenge & Improvement Agenda

Phase I Review Obfuscation Introduction

Concealing the intent of the code by making the code difficult for human analysis and detection Copy right protection Hide Information (E.g. address) Evade detection Obfuscation

Three types of obfuscations Injection obfuscation Public Packer Obfuscation Exploit Kit Obfuscation Obfuscation Types

“As recorded in 2007, over 80% of detected malicious code was already using obfuscation” Most obfuscations are simple. Injection: 83%, exploit kit: <1% Complex obfuscations occupy a small proportion. Obfuscation become more complex Obfuscation Types

JDOE Prototype Anti de-obfuscation

Splitting important codes into pieces of Javascirpt code, HTML code or external scripts String concatenate – Var temp=“get”+”Elem”+”ent”+”ById” Tag concatenate – Put content in,, – OpenSource Exploit kit Fragmentation

File concatenate – Put critical function or data in another file – Phoenix Exploit Kit 2.5 Traffic concatenate – Save data on server and client need to request Fragmentation

Fetch external access or perform a connection check Ajax fetch data Connection check – Neosploit exploit kit External Access

Browser detect uas=navigator.userAgent; while(uai<uas.length) {xor+=uas.charCodeAt(uai++);} IE6 Firefox Condition check

Time check getUTCFullYear() getUTCMonth() getUTCDate() Plugin check new ActiveXObject('ShockwaveFlash.ShockwaveFlash'); (IE) Check navigator.plugins (not IE) Condition check

Trigger a function after certain seconds setTimeout("alert(Hello!')",3000) setInterval("clock()",1000) Trigger a function on certain event <button id="j_id" onclick="j_function2();" window.attachEvent or addEventListener Trigger a function on plugin Call js function from Actionscript Trigger Function

Uncommon tag Save content in CSS Modification check var hybxs = arguments.callee;hybxs = hybxs.toString(); Bypass de-obfuscation tool

JDOE Prototype Browser Knowledge

Browser Component

Webkit

DOM Tree

Phase I Review Current Solution

Jsunpack Light weight Spidermonkey and Python Set hook in js file Environment DOM Enumeration Detection module(Yara) PDF and SWF parser Intrusion Detection(libnids)

Fireshark Firefox Plugin Mainwindow and child Frame Source Code Mainwindow and child Frame DOM Tree Http Request and Response Logged Malicious URL check URL redirection graph

Malzilla Research tool Spidermonkey Shellcode analysis Limited DOM support

Limitations Firefox based Limited on DOM support Limited on De-obfuscation Performance

Phase I Review JDOE

What engine we want ? High performance Good coverage Good output and log formats Analytics platform JDOE

JDOE is based on Google Chrome Render Engine : Webkit 85% smart phone browser market 21% desktop browser market Include DOM tree and parser JavaScript Engine : V8 JDOE

JDOE based on a test project for Chrome Command line tool, feasible to be ported as server- side application Be able to simulate basic functions of browser Full DOM Support Good fault tolerance about html format HTML format output Prototyping

JDOE Architecture

Base on Chrome and Webkit Strong Parser Full DOM Support Fast js execution speed High coverage Good expansibility JDOE advantage

JDOE De-obfuscation Method Hook eval() – Get some inner status of JavaScript Print the final DOM tree – Get the final status – Document.write should add some nodes in DOM tree De-obfuscation Method

Exploit kits Samples – Samples from Top 10 exploit kits project – Total Samples : 22 JDOE success : 20 – Coverage : 90.9% Exploit kit Coverage

Injection Samples – Samples from obfuscation ThreatID matches – Total Samples : 9,544 JDOE Success : 8,450 – Coverage : 88.5% Injection Coverage

Demo Demo time

Status and Next Step Challenge & Improvement

Security How to keep JDOE server secure? – Upgrade plan – Sandbox – Javascript Audit Performance Disable external access Coverage Not support on special samples Output format defected on special samples Challenge

More trigger function handler PDF and SWF Parser Shellcode detection Javascript Audit Cloud base integration Auto analysis platform improvement

Questions? 37 JDOE