The Spanner logo

    Polymorphic javascript

    Back to articles

    hackvertor

    Author:

    Gareth Heyes

    @hackvertor

    Published: Wed, 27 Feb 2008 12:45:11 GMT

    Updated: Sat, 22 Mar 2025 15:38:10 GMT

    Finding a pattern in malicious javascript is difficult, it's possible to selectively change the source code yet still execute the same payload. There are many ways to morph Javascript and I shall go through a few of the possibilities and provide examples through Hackvertor (which now supports code morphing).

    In order for a pattern to be established the detection mechanism needs to understand hexadecimal, unicode, octal escapes along with general javascript syntax. It's difficult to maintain polymorphic code without an increase in size, this could be an indicator that malicious code exists because the code only has so many characters it can selectively modify without encoding the whole payload again. Of course an encoding/compression algorithm could maintain the same size but I think this is easier to detect.

    A common factor with malicious javascript is the use of eval or external connections, if a site is using eval in more than one instance and on multiple pages it could contain malicious code. Even the use of a single eval is not that common on the average web site and whitelisting the existing known code could be a good way of detecting malicious content.

    I believe the best form of defense is attack and therefore I've created code morphing tags in Hackvertor, the tags are not comprehensive but provide a good reference on how javascript code can be selectively modified. There are two classes of morph currently in Hackvertor, random morph and full morph. Random mode will modify a small section of the code without changing the result and full mode will encode the entire payload, this is similar to the code morphing script I wrote previously but contains more features.

    Random morphing

    Ternary operators can be used to partially morph a string:- Random ternary morph

    Unicode morphing can be used in function calls and javascript strings, the following example shows how the alert function can be changed. Click convert a few times to see the different results:- Unicode morph

    Character codes can partially modify a string like this:- Charcodes morph

    Finally I'll show the variable morph, there are more morphs available but I'll leave you to experiment with them. The variable morph simply selects an individual character and creates a sepate string:-

    Variable morph

    Full morphing

    Here I show how the urlencode functions can be used to morph the entire payload:- Escape morph

    Ternary morphs can also be applied to a full payload:- Ternary morph

    Advanced examples

    The example below shows how to create a javascript link with multiple random morphs which uses hex entity encoding with a unicode and character code random morph. Javascript link url

    Here's how to take a string and randomly encode parts of it with urlencoding and character codes:- Random parts morph

    This is my last one now, there are so many combinations I could show you. Click the execute output button to view :- Reversing keywords

    Back to articles