We have an OpenSource Extension Similar like Greasemonkey only used in Firefox.
Users can submit (Java)scripts for other Users to run.
This gets abused by sending malicious code.
We want to rough autocheck in future with a script the submitted Code.
We don’t allow or want to further investigate:
- making page requests
- obfuscation attempts
We already filter:
- btoa
- eval
- window.
- a regex for url’s
/^(http|https|ftp)://([A-Z0-9][A-Z0-9_-]*(?:.[A-Z0-9][A-Z0-9_-]*)+):?(\d+)?/?/i - the above url regex adjusted for escape,encode,encodeURI,encodeURIComponent v.versa
What could help:
- other possible bad patterns & functions
- a regex to filter for obfuscation attempts
Thank you for your ideas !!
EDIT:
I guess this is it so far. Thanks to every contributor !
Would be welcome though to find a broadly valid regex to filter for already obfuscated code.
Community wiki
Add any ideas you have, and keep in mind that it is a rough check.
Tip beforehand: Also run the code through Google’s Closure compiler, to easily get rid off constructs like
window['e'+'v'+'a'+l]('....')and character escape sequences like\x65\x76\x61\x6c.Do not only check for functional hazards. For example, typed arrays are an easy method to fill the memory with junk, causing instabilities at the user’s OS. If the volume of scripts permit it, I recommend to test the script in a sandbox, e.g. in a VM.
Global objects (any permutation of these):
windowdocument.defaultViewtopparentframesselfcontentOther:
Functionconstructor andsetTimeout/setIntervalwith a string argument – Eval in disguisedocument.createElement– Possibly injecting code or external resources.cloneNode/appendChild/replaceChild/insertBefore– Dangerous when combined with dynamic elements.document.scripts– Basically any DOM manipulation!document.cookie/localStorage/globalStorageXMLHttpRequestdocument.forms– HTTP requestsdocument.anchors/document.links– Spoofing links?document.applets/document.embeds/document.pluginsdocument.load– Loads a (XML) documentdocument.execCommand– Executes a command on the current documentImage/Audio– HTTP requestsopen(pop-ups)document.open/document.write/document.writeln– Replacing or injecting arbitrary data in the current pageinnerHTML/outerHTML– Same as previous one (outerHTMLdoes not exist in FF)setAttribute,addEventListeneretc.Worker– Loading web workers from external sources (!)location/document.URL– Changing the page’s locationhistory– History / location manipulation (!)document.implementation– Creating arbitrary documents.DOMParser– Creating arbitrary documents.Object.defineProperty/__defineGetter__/__defineSetter__etc.WebSocket/MozWebSocketconsoleor any property thereofdebuggerstatement – acts like a breakpoint for debugging purposesInstallTrigger– A Firefox-specific object to manage installs.File/FileReader/FormData/MozBlobBuilderPackages/javaObfuscation
.. detection can be done in 2 ways (searching the functions or the output).
Search for obfuscation Functions:
unescape/escapeencodeURIComponent/decodeURIComponentencodeURI/decodeURIbtoa/atob/\\x[0-9a-f]{2}|\\u\d{4}/i– Pattern to match encoded characters.Search for obfuscation Output:
[^']{23,}?