Hacker101 - JavaScript for Hackers (Created by @STÖK)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi my name is dick and here with the amazing Tom nom nom to talk about JavaScript that's what we're gonna do today right yeah absolutely and I think we've got like a few things that we probably want to cover yeah and probably a good place to start would be just a little bit of talk about what JavaScript it so javascript is one of the main languages of the web and it's the one that makes webpages do things so we have like HTML which describes what web page how it's structured we've got CSS which describes what it looks like what the colors are like and all hey and then JavaScript which is kind of it's not really a description but there's a programming language that we use to make webpages actually do interesting stuff like talk to servers or make things dance around the page or make things change when you click on them and all that kind of things before handling all that validation stuff that you want to do all kinds of things and like these days people built whole apps with just JavaScript and collars a single page applications right yeah and no like big news these days people use big frameworks like react and it all gets really super complicated but it's not to be confused with Java no definitely not so like there's a bit of a story behind that I'm not sure how much of it is true but when I think Brendan I I think his name is on games creating JavaScript Java was just getting really popular and some of his like bosses said hey we should call it JavaScript to like capitalize on the success of Java and so they did hence you know of confusing generations upon generations of newbie program at school okay so what we're gonna learn today is as an attacker why should we look at your script and what could we do to leverage that to find one abilities tools how to find them and primarily also you know basics like how do you started how do you understand what's going on and actually how can you take that information you got into exploit again yeah absolutely I thought a good place to start would be let's have a look at Yahoo yes Yahoo calm and have a look at the JavaScript that's on there from an attackers perspective sweet and actually one of the most useful tools I found for doing this kind of thing is I'm probably one of the most underrated hacker tools that there is at all is the chrome dev tools oh yeah yeah so I use to keep all chocolate to open these but if you're more of a fan of clicking around you can click these three dots up here go to more tools and then developer tools and you'll get the same thing so the chrome dev tools are in theory at least that'll make for developers but it's super useful for us hackers too so for a start if I go to the network tab here and reload the page in the background I can see all of the requests that are being loaded in this page and I can filter them to just the JavaScript files that are being loaded so we can see this one click yeah cool I'm not really using chrome dev tools at all I'm a producer obsessive primarily has to do that I love a lot of proxies right but this is actually proxying the traffic the same way right kind of so I mean like I use burp 2 and it is useful I find that I like this view in particular gives me a lot of advantages but also the viewing facilities that I get on these are much better so I can pick on one of these files let's just pick one randomly and I can get an overview of the headers that were sent and the headers I got back with the request but I can also right-click it and go to open sources panel so the sources panel is kind of a nice place to be able to view JavaScript and do some funky things with it I tend not to that much but one of the things that you can do is you can deal with this horrible all in one line minified javascript yeah by hitting this button down here that if you hover over it you can see just pretty print oh so if you click that you get a much nicer format that's nice so like if you're viewing this in Bert I think there might be some JavaScript beautifier plugins maybe but you know it's a minified file you're gonna have a hard time actually reading it and trying on it it's terrible it was a really really terrible really bad there's a variety of reasons that we want to read this file so one of which is we just want to know like what behaviours happening in a page yeah well another thing is like you want to go in here and search for like maybe there's some API keys or something in there so you might want to like hit ctrl F when such a secret and hopefully we're not gonna find anything in there because you know it's it's the home page of Yahoo or any other keywords that you want sorts to if you wanted to search for endpoints in here what would you do then so for a frontslash api or yeah so i think that's kind of like the low-tech way to do it or like the lowest attack yeah I can just sort of say let's see do I find anything for support slash API and in this case it don't know but if you remember on that network tab this is all the JavaScript files that were loaded yet but also relate to JavaScript is this one labeled xhr and if I hover over it you can see there's xhr and fetch what does that mean so xhr is XML HTTP request which is a silly name for what became known as Ajax or fetching remote files with JavaScript okay and that's because of Microsoft that is called that basically but if we took this tab we can see these requests were ones that were made by Java scripts okay and you can in fact see for a start the initiator so what it was that actually launched this request pretty print just a cursor this line of JavaScript here was the one that initiated that request does that for us yeah so we can kind of work backwards and say like well here's an API call yet like to this weather location service right I can go straight to the initiator of that and once I've done that and I can use that knowledge to say okay well you know what else is in this file around here so if there's one API call there maybe there's going to be others also I might just pick on the name of it as well so this says or whether location service and one of the other things the dev tools provides you is such functionality so I'm going to escape and I'm going to search for that weather location service and you see this pretty quick as well so I can click on the result and it's going to take me straight to the sources tab let's beautify it I can pretty print it mmm and it haven't put me in the right place but I know what it was I was searching for it was with a location service and I can read around this JavaScript and say ok well they're making a request object here so me I'm gonna go and search for requests in this javascript file or in all of the other javascript file if there are more API calls they're probably going to be in a similar format mmm we're just searching for slash API that's kind of work some of the time yeah but it's not always where the eyes are right sometimes it's /v 1 or sometimes it's slash YQL or something on Yahoo right that's one way that the dev tools can be really useful is this kind of what I call static analysis of JavaScript code which just means reading JavaScript where it can be more useful and another reason that we want to read javascript is because there can be vulnerabilities in JavaScript itself so you have a heard of Dom XSS yeah so Dominic success what is that though so I think it'd be better called client-side XSS or maybe even JSX SS but us a little bit of a mouthful so the general idea is rather than like a value being reflected in the page like with a reflective excess of being stored with a stored XSS this is purely JavaScript is taking some data from the user and it's missed handling it in a way that lets us execute JavaScript so one of the things that got introduced a while back was an ability for different web pages to talk to each other using that thing got post message right and web pages will have these post message handlers or listeners listening out for these infants and if you take a web page like this there are so much JavaScript in here it like finding the particular part that's handling that particular event is going to be really tricky but chrome dev tools helps us out again so I'm gonna click over in the global listeners part of the sources tab over here yeah and I can see this is a list of all of the event listeners that are registered on this page and one of them is message so if I click that I can see there are two things here so if I click on the file name of that one it's gonna take me to this like horrible minified file again but I can click the pretty print again and not only is it going to format the JavaScript but it's going to take me right to this particular function that's the one that's handling post message events but one thing I want to point out here is this is really hard to read this function because although we pretty printed the file yep the variable names are still all single letters and it's really difficult to read and follow what the hell is going on here so we're going to use another feature of the dev tools here to help us out perfect because me as a non-core person yeah like I don't get that at all reading code is at the best of times yep and this has been made like just one extra step harder I'm gonna click one of the line numbers here I'm gonna say click this one down here 5:00 5:30 I'm gonna hit escape a couple of times and bring up the console now the console les has a run any JavaScript that we want and in this case I'm gonna call window dot post message and this takes two arguments which it tells us right here in fact a message and the target origin so we know the post message is just a standard JavaScript function okay exists in any webpage is something that the browser provides and the way it usually works is if I have like an iframe in my page I would get a reference to its window object and call the post message but for now I just want to send a post message so I can hit this thing that I've set here which is got a breakpoint so I'm going to pick just any piece of text give me a piece of what word are we gonna put in here to something random male male okay that works and then the second argument is the target and in that we're just gonna put star so it means any target if I run that you can see I've got a message appear that says paused in debugger and that's because this is the message handler I sent a message to it and this breakpoint has told the chrome dev tools hey when this line of code runs you need to stop give control over to the dev tools and suddenly you can see we've got a lot of extra information here so we can see this message event and the data is set to mail and we can see on the next line what all of these other variables get set to so we can see here that a variable get set to mail and we've got another viewer in the scope section over here of all of the different values of the variables - I found this really useful for working my way backwards through the code but I can see further on that my data is passed to this function P if I hover over it I can see it's telling me where that function is defined and I can click it and be taken straight to this function it's got a different name here even because of the way JavaScript works things might get assigned to different names and so on as they get passed around through different functions so like if I watch the track though keep trying yeah so if I was trying to do like a static analysis yeah reading the code and trying to figure it out just as a human with my fallible squishy brain yeah this would be really hard but here it's taking me right there and I can read this code and figure it out the debugger and the breakpoints really really helped us out in that respect because we can expect the actual values of things at runtime and you can actually modify them as well you can execute code in the console in the context of this function so if I type a T down in the console here I can see is doing what's called eager evaluation showing me the value of this thing and I can refer to T data which is my male value and I can interact with this stuff and change the values of variables while the code is paused and then continue it and see what happens and what kind of bugs would you be looking for being successes so should we have a look at a vulnerable for sure message absolutely give me one herbal one so because you know the law exists we can't just go showing vulnerable calm no we can't but as luck would have it Google released this thing called firing range and this is a public instance of it mm-hmm and this is a whole set of pages that are vulnerable in a bunch of different ways and we can see one of these things is Dom XSS there's a whole list of different things in here and they're categorized by or where the data source is this would be dumb access where the value comes from a cookie where it comes from a refer or the window name but the one I'm interested in here is this post message eval one so we've got an empty page but let's pull open the dev tools and we can see here the JavaScript is in line with the HTML but the prettify still works and we can see there's a post message handler being added as an event listener for message events on the window object we can set a breakpoint here this is way easier to read though than the other one oh yeah absolutely like this is not been minified or scared or anything like that even I can understand this we can try sending our same post message again I mean if ANSI were paused in the debugger I set a breakpoint on the next line content is now set to mail but I can change it so let's change it to alert document dark domain and then continue with the debugger we can see we've got all that window public firing when you start up spoke up so I know now having figured this out interactively so actually my post message can just be our document domain cool let's play around the idea that you would show impact okay what would you do it depends a lot on the target yeah and it's worth pointing out that sometimes the impact really is nothing because like this is a really good example here this is a property owned by Google in a public fire in ups.com and I've got XSS on this domain I can run any jobs that don't want but there's no impact because there's nothing here to be stolen there's nothing here to be taken and people talk about the impact of XSS is being like oh I can steal cookies but you know we have HTTP only flags on cookies now and that's not really the main issue the main issue is you've bypassed what's called the same origin policy which is the main protection browsers have to stop JavaScript from just going off and doing what one javascript on evil calm fetching your banking website right same origin policy says no that's not allowed but if I can run JavaScript on your banking website I can do anything you can do on your banking website just by clicking around so if you've got standing transfers or things set up or withdrawals to different accounts or or whatever it is if you can do it by clicking JavaScript can do it too that's the real impact so look for those things let's look at this complex message and we can view the page source of it or we can use the dev tool seems that's what we've been talking about yes and one thing I haven't really mentioned yet is this elements view which can be also really useful because JavaScript can manipulate the HTML in the page and when you use source you're viewing the HTML that was sent by the server but if it's since been manipulated by the JavaScript it's now different to that very elements view on the other hand gives you the current view of the HTML with all of those manipulations applying it so if I hit expand recursively on here you can see here's the full HTML with the JavaScript in it and here's our post message handler it's a little bit more complicated this time but I'm sure we'll be able to come up with an exploit for it so let's get it let's have a look at the code yeah and see really what its gonna be expecting from us so we have the message yeah is the thing that we're sending and data is the bit that we actually control so this is looking for an action and comparing it to the word exact and saying if action is equal to exact I'm going to evaluate the contents of message data payload so what we actually want here is an object and wants two things in it it wants an action which is going to be exactly and it wants a payload which really use the alert I know I do check statistic to alert and document.domain as mine kind of go to and that's because having the document.domain tells me automatically and for sure what it is this really really knows JavaScript which is nice that's how kind of standard proof of concept but as we said we can't really put mine a bug bounty report so I'm gonna rely on another little tool called rep bullet and repla is really useful unless you've like code in a web browser in a variety of different languages like Python C you know jet or Java not to be confused with JavaScript but it'll also let us write HTML CSS and JavaScript and rather than like having my own server setup and all that sort of thing it's really nice to be able to just quickly fire this thing up and use this instead this is the page I'm trying to explain and what I'm gonna do is make an iframe with an ID of say target and this is the iframe that I'm going to load that agent lingotek in the script is and we're gonna use the JavaScript to write our actual exploit the first thing I'm going to do is kind of get a handle on that iframe element as it were so the target and granese document dot get element by ID to do that and then we're gonna add an event listener to it and that's going to be a load event listener so when that iframe has finished loading its contents we are gonna run this code the code we're gonna run target dot content window which is the equivalent of the window object that we're using before and the postmessage same as it was before now you're gonna go back to the console and grab the arguments that we used there oh you know those we know those work we've done already for sure okay let me go I'm gonna set the source of that iframe to be this page yep and in theory if I have run up here we should get another maybe not public firing they start up spot.com so we know that it's definitely firing in the right context yes and we can hit open in a new tab here and we've got a publicly accessible address with a random name that you know we could send this to a bug bounty program or something like that yeah you know here's my explanation and here's my proof of concept yeah and it won't affect your original it makes like a a fork of it if they start to edit it but it means that they can very easily inspect everything there's a proof of concept this is a very easy way to show that okay so if I'm running this externally this is what's going to happen yeah absolutely that's course okay cool so we learn how to create the simple park right and in how to play around with the console and some basic tools to get story and play around JavaScript so in your humble opinion when it comes to your script why wouldn't have attacking this time in looking for stuff in your script and not just you know wait for stuff yeah so I think really it comes down to a few things for me one that we've kind of covered which is there can be vulnerabilities in the JavaScript itself yeah another which is sometimes there are bits of secret information leaked in there's not super common but it does happen and it's worth looking for yeah well the other one is increasingly the JavaScript files are really a description of how the web application works yeah all of its inputs and outputs all of the interactions that can happen with it all of the endpoints that exists yeah yeah sometimes they'll still be some things that are hidden and they need to be brute force because they're not in use or they're old but really you could take a lot of time by reading the JavaScript file instead of going off and root for saying things is dead and a lot of the times you'll find things that you just could not have brute force that weather API endpoint that we were having a look at before for example that's probably not in your word list it's not in mine no no different but it could have been really interesting and even if we had have found it we still need to know about its inputs on its output and yeah like usually the first step in exploiting something is making it work the way it's supposed to work first because if you can't do that it's really hard to make it do something it's not supposed to do developer developers to forget things you know we all stress right in in absence scenarios where where you're actually when you're looking through your script in the application itself looks totally normal but when you start looking to the the off script you can see the references they're having inside the JavaScript so the things that it's calling for it's searching for data from the database and it turns it out into a JSON file and it's littered with creds more or less it's it's it's just dumping it in clear text where you send the request in but you wouldn't never find that if you're doing read the JavaScript no see that request going in I like one of the other things I've come across a few times in the past is all of the JavaScript for an application is bundled into one getting it's all in one file it's all minified but the application includes all of the admin functionality they are not supposed to be able to see they don't want to have like multiple JavaScript bundles for the admin application and for the regular customer-facing application so it all goes into one because there's kind of the path of least resistance so you can learn about the admin functionality you're not seeing it now but you can play around with it there absolutely and then yes by simple doing a matching brains actually replacing birth you can sometimes get the answer coming back and showing you in your browser parts of what you weren't supposed to see you still having that access but you can see the design and layout what it would look like and start to figure things out definitely definitely and if you're using tools like the same way back URLs or something else you can look at older versions of the same code and find stuff that's been changed absolutely it can absolutely in particular I like to go back and look at the first versions of applications because they're the ones were you know everything was rushed out of the door the developers had probably been working late nights and they took shortcuts yeah sure like you know we should I really have a password vault with all of our secrets and API keys and things that's all so yeah absolutely so like we're just gonna push it out the door with the API key in the JavaScript file yeah it got removed the next day but the crawlers and the wayback machine they were there and they saw it so yeah definitely worth looking at for sure cool okay thank you very much for going through your script with me always a pleasure mover I'm good always a pleasure
Info
Channel: HackerOne
Views: 775,654
Rating: undefined out of 5
Keywords: security, vulnerabilities
Id: FTeE3OrTNoA
Channel Id: undefined
Length: 24min 17sec (1457 seconds)
Published: Wed Apr 22 2020
Related Videos
Learn JavaScript - Full Course for Beginners
freeCodeCamp.org
7.8M
The Art of Code - Dylan Beattie
NDC Conferences
3.3M
Radio Hacking: Cars, Hardware, and more! - Samy Kamkar - AppSec California 2016
OWASP Foundation
1.1M
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.2M
How To Speak by Patrick Winston
MIT OpenCourseWare
5.1M
MALWARE ANALYSIS - VBScript Decoding & Deobfuscating
John Hammond
645K
Linux for Ethical Hackers (Kali Linux Tutorial)
freeCodeCamp.org
2.9M
I Built This From A 1972 Popular Mechanics Magazine Plan. Does It Work?
Fireball Tool
2.2M
Worst JavaScript Flaws That Hackers Love To Abuse
Coding Tech
220K
JavaScript Tutorial For Beginners - Full Course In 11 Hours | Learn JavaScript | Great Learning
Great Learning
96K
JavaScript Tutorial for Beginners: Learn JavaScript in 1 Hour
Programming with Mosh
6.1M
$250 Slab To $7700 Table
Blacktail Studio
3.6M
Math Has a Fatal Flaw
Veritasium
14M
Building a DIY submarine
DIY Perks
2.1M
How hackers use DevTools - Web Security #4
codedamn
33K
How to Make Your Own VPN (And Why You Would Want to)
Wolfgang's Channel
1.4M
How Imaginary Numbers Were Invented
Veritasium
9.6M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.