Announcing the Deobfuscating JavaScript White Paper

Category: Web Security Readings - Last Updated: Thu, 04 Apr 2019 - by Netsparker Security Team

The topic of this white paper is an example of how to deobfuscate JavaScript code as it's often used in phishing pages. Deobfuscation is the process used to convert a program that has deliberately been made difficult to read (‘obfuscated’), into one that is more straightforward and simple to understand. Obfuscation can be used for malicious or malign purposes from a security perspective, either to protect proprietary source code or to hide malicious intentions.

Announcing the Deobfuscating JavaScript White Paper

This white paper focuses on a specific instance of real world obfuscation. In this case, the example of What Happened? is provided by a phishing page that aimed to steal Steam account credentials. Phishing is a type of online fraud that uses a spoofed website to lure people into providing personal information. The code for a part of this fake site was written in JavaScript and then obfuscated.

By focusing on this example, as explained in A Word Before We Start Deobfuscating, the white paper is able to clarify how the the obfuscation process works and how the attacker approached various problems during the development of their phishing page. There are many other obfuscation techniques that signature-based detection tools might miss. Therefore, deobfuscating JavaScript is useful for the detection of malicious code as well as security bugs.

As the white paper is practical in orientation, it contains code snippets as well as relevant technical explanations. A section of the white paper consists of a Brief Overview of the Obfuscated Code. This examines ten components responsible for running the script. Each is displayed and explained. This allows readers to easily jump from each of these obfuscated code snippets to its deobfuscated counterpart.

The next section, Cleaning up the Code, renames some variables and moves some array keys in order set the groundwork for deobfuscation. Ten instances of obfuscated code are repeated in partially deobfuscated form. Deobfuscation remains incomplete, however, until the next sections of the white paper.

First, in Replacing All the References, as many of the references with their actual values are replaced as possible. The bloated codebase is made comprehensible, and unimportant functions are removed. The last deobfuscation stage is in Finally We are Done! Or are We?. A JavaScript code beautifier – a program that improves the presentation of programming source code – is helpful but it still requires manual work to finish off the deobfuscation process.

After discovering how the script works, the white paper shows how the phishing page worked and a similar phishing page is created with little effort. Finally, the white paper asks What Can We Learn? and offers some practical advice for avoiding this kind of phishing attack. It concludes with Further Reading suggestions.

Why not take a look for yourself? Check out the detail of what code and tactics malicious hackers used, manipulating arrays, functions, loops and variables, to deceive web users into thinking they were using a popup on one website, when in fact they were redirected to a cleverly disguised HTML element of another website.

For further information see, White Paper: Deobfuscating JavaScript Code: A Steam Phishing Website.

Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

GET A DEMO