We have an OpenSource Extension Similar like Greasemonkey only used in Firefox . Users can submit (Java)scripts for other Users to run. This gets abused by sending malicious code.
We want to rough autocheck in future with a script the submitted Code.
We don't allow or want to further investigate:
-
making page requests
-
obfuscation attempts
We already filter:
- btoa
- eval
- window.
- a regex for url's /^(http|https|ftp)://([A-Z0-9][A-Z0-9_-]*(?:.[A-Z0-9][A-Z0-9_-]*)+):?(\d+)?/?/i
- the above url regex adjusted for escape,encode,encodeURI,encodeURIComponent v.versa
What could help:
-
other possible bad patterns & functions
-
a regex to filter for obfuscation attempts
Thank you for your ideas !!
EDIT:
I guess this is it so far. Thanks to every contributor ! Would be welcome though to find a broadly valid regex to filter for already obfuscated code.
Source: Tips4all
Community wiki
ReplyDeleteAdd any ideas you have, and keep in mind that it is a rough check.
Tip beforehand: Also run the code through Google's Closure compiler, to easily get rid off constructs like window['e'+'v'+'a'+l]('....') and character escape sequences like \x65\x76\x61\x6c.
Do not only check for functional hazards. For example, typed arrays are an easy method to fill the memory with junk, causing instabilities at the user's OS. If the volume of scripts permit it, I recommend to test the script in a sandbox, e.g. in a VM.
window.pollute = new ArrayBuffer(2e9); // Reserves 2 GB of memory
while(1); // Infinite loops
Global objects (any permutation of these):
window
document.defaultView
top
parent
frames
self
content
Other:
The Function constructor and setTimeout / setInterval with a string argument - Eval in disguise
document.createElement - Possibly injecting code or external resources.
cloneNode / appendChild / replaceChild / insertBefore - Dangerous when combined with dynamic elements.
document.scripts - Basically any DOM manipulation!
document.cookie / localStorage / globalStorage
XMLHttpRequest
document.forms - HTTP requests
document.anchors / document.links - Spoofing links?
document.applets / document.embeds / document.plugins
document.load - Loads a (XML) document
document.execCommand - Executes a command on the current document
Image / Audio - HTTP requests
open (pop-ups)
document.open / document.write / document.writeln - Replacing or injecting arbitrary data in the current page
innerHTML / outerHTML - Same as previous one (outerHTML does not exist in FF)
Many events plus setAttribute, addEventListener etc.
Worker - Loading web workers from external sources (!)
location / document.URL - Changing the page's location
history - History / location manipulation (!)
document.implementation - Creating arbitrary documents.
DOMParser - Creating arbitrary documents.
Object.defineProperty / __defineGetter__ / __defineSetter__ etc.
WebSocket / MozWebSocket
console or any property thereof
debugger statement - acts like a breakpoint for debugging purposes
InstallTrigger - A Firefox-specific object to manage installs.
File / FileReader / FormData / MozBlobBuilder
Packages / java
Obfuscation
.. detection can be done in 2 ways (searching the functions or the output).
Search for obfuscation Functions:
unescape / escape
encodeURIComponent / decodeURIComponent
encodeURI / decodeURI
btoa / atob
/\\x[0-9a-f]{2}|\\u\d{4}/i - Pattern to match encoded characters.
HTML entities (in conjunction with event attributes).
Search for obfuscation Output:
Regex to search for strings greater than X, eg 23 [^']{23,}?