Wednesday, October 28, 2015

Advanced JS Deobfuscation Via AST and Partial Evaluation (Google Talk WrapUp)






The following post is a wrap up of a presentation I made for Google thanks to a very interesting initiative to meet web security researchers and Google security engineers - Thanks for the opportunity, BTW!

Instead of talking about my usual things like advanced DOM Based XSS  topics, I decided to propose some research about alternative approaches in JavaScript deobfuscation stuff we've been working on early this year.

In fact, here at Minded Security we deal with JavaScript since several years by now and
Client side security research, AMT agentless anti malware products, DOMinatorPro are only a few of the reasons our work on JavaScript is always part of our daily job.

Everyone admits JavaScript code can be sometimes really hard to read, especially when dealing with minimized code or obfuscated malware and even if there are quite a bunch of JS deobfuscators, most of them are runtime sandboxes or too simple static analyzers.

Here's why we developed JStillery. 
An internal product that helps us for:
  • Analysis of JS malware samples extracted from AMT logs
  • JS Normalization for Malware classification
  • Automatic support for exploiting DOM Based XSS on custom, minimized libraries using DOMinatorPro
  • WAF Analysis of XSS Payloads
Slides:



and a short video that shows what JStillery can do:



Comments are always welcome!