Page 1 of 2 12 LastLast
Results 1 to 15 of 19

Thread: A little Javascript / DOM reversing exercise

  1. #1
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5

    A little Javascript / DOM reversing exercise

    Hi all,

    I have a little interesting reversing exercise in the field of Javascript/DOM for you. It might be very easy for those a little more experienced in this field, but it's confusing enough to annoy me anyway, so in that case, please enlighten me.

    A short(ish) background story is that I'm trying to "refill" a pay-card mobile phone with credits, and since a couple of days, the phone company in question has started to demand that customers register an account on their website to be able to do this. So, I think to myself, "that's annoying, but sure, whatever".

    Then comes the funny thing. This company (one of Sweden's biggest mobile phone telecom companies...) has made such a huge screw-up on the website, that it is impossible for customers to register these new required accounts, and they haven't managed to fix the stupid thing for two whole days, just asking people to "hold on" with refilling their cards while they are working to resolve this problem, when you call their support... Errr, can you imagine the amounts of money they are losing for every hour their worthless web consultants are sleeping on the job...?

    So, anyway, the apparent problem (or at least first problem) seems to be that the stupid application form uses some kind of Javascript client side checking, which in turn has some kind of bug making it reject any and all suggestions for passwords, no matter how secure of compliant with their guidelines. The password boxes just turn red, with a big stop sign next to them, as soon as you type anything in them, and the submit button for the form consequently won't work.

    So, I think to myself, ok, I won't let some stupid bug in some crappy client side format validation code stop me, I'll just take a look at the code and bypass it (or even fix their stupid bug for them...).

    Then comes the problem. I cannot seem to find any friggin' event handling code whatsoever connected to those textboxes, and still, they obviously actively react to me typing in them, WTF?!

    So, the exercise is as simple as:
    Exactly how can I locate the Javascript event handling code for these text box controls, using any tool or technique?


    No event handling code is defined directly in the HTML code for the form, so I assume it must be assigned dynamically by some other Javascript code somewhere.

    I have used both the Firebug debugger and DOM inspector to try to find any event code connected to the controls, without any useful results. I have also searched for any reference to e.g. the "password2" text box, in all script code connected to the page (as reported by both Firebug and the "Web Developer" Firefox extension), but still nothing.

    There is some packed Javascript code in the connected script file "http://www.comviq.se/script/s_code.js" though, but my main goal is to dynamically be able to resolve the event code connected to the text boxes, not necessarily to locate the code that assigns it. That's normally the beauty of DHTML, i.e. no matter how people try to obfuscate their HTML code, you can easily "dump" it once it has been "unpacked" for viewing in the browser. That's the exact kind of thing I would like to do for the Javascript event code assigned to these text boxes, and I really think it should be possible, or isn't it, really?

    You will find the mystery form at the following URL:

    http://www.comviq.se/tanka.html

    Search this page for the string "skapa ett h", and click the link that makes up the word starting with the "h" in the end of that string (it contains a Swedish letter that may not be available on your keyboards ("här"), which is why I don't mention the entire word in the search string), and the application form will show up, having the title "Skapa konto".

    The two password text boxes have the following titles:

    "Lösenord (minst 6 tecken varav en bokstav och en siffra)" [= "Password (at least 6 characters, out if which one letter and one number)"]

    and

    "Lösenord igen" [= "Password again"]

    And again, the single objective of this exercise is to find the Javascript code that is assigned as an event handler for these textboxes (or any other DOM object), e.g. the code that makes them red and shows the stop sign when you type something in them - using any tool or technique.

    Any and all help with this is much appreciated!

    PS.
    Yes, you can easily bypass the entire client-side checking by forcing the form to submit manually with some injected javascript code or whatever, but that's not the point. What caught my interest was that I was not able to locate the event handling code, and it annoys the hell out of me, so please let's just focus on that.

    PS2.
    Even if they have fixed the problem (that makes the password boxes red whatever you type) when you take a look at the page, it doesn't matter for this exercise, I would still very much like to know how to locate that event handling code, no matter my original reason for stumbling upon this problem.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  2. #2
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Some more googling reveals that this was apparently completely/theoretically impossible to do before Firefox 3.6, but that APIs on the browser level was introduced to support such enumeration in Firefox 3.6, and that there is a very new (still in beta) Firebug plugin called EventBug (http://www.softwareishard.com/blog/category/eventbug/) which will assist with making use of these APIs in Firebug.

    Seems like I at least had some good timing with this little reversing exercise, but the problem sadly still remains for the page in question though, since for some reason the EventBug plugin still fails to get hold of the source code for the event handler (which it says it should be able to do), but rather only shows some uninteresting information about it...

    Any further ideas / tips?
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  3. #3
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5
    There's this (open "här" link in new window for source), but the password fields still turn red when you enter something into them (as long as you maintain the modal window association with the parent, and not open the link in a new window).


    Is there an error in the regex?

    password: { required: true, minlength: 4, regex: "^.*(?=.{6,})(?=.*[a-zA-Z])(?=.*[0-9]).*$" }

    Since I can't generally read this crap without help, my old buddy RegexBuddy says this means...

    Assert position at the beginning of the string
    Match any single character that is not a line break character
    Between zero and unlimited times, as many times as possible, giving back as needed (greedy)
    Assert that the regex below can be matched, starting at this position (positive lookahead)
    Match any single character that is not a line break character
    Between 6 and unlimited times, as many times as possible, giving back as needed (greedy)
    Assert that the regex below can be matched, starting at this position (positive lookahead)
    Match any single character that is not a line break character
    Between zero and unlimited times, as many times as possible, giving back as needed (greedy)
    Match a single character present in the list below
    A character in the range between "a" and "z"
    A character in the range between "A" and "Z"
    Assert that the regex below can be matched, starting at this position (positive lookahead)
    Match any single character that is not a line break character
    Between zero and unlimited times, as many times as possible, giving back as needed (greedy)
    Match a single character in the range between "0" and "9"
    Match any single character that is not a line break character
    Between zero and unlimited times, as many times as possible, giving back as needed (greedy)
    Assert position at the end of the string (or before the line break at the end of the string, if any)



    PHP Code:
    <script type="text/javascript">
    $(
    document).ready(function(){
        $(
    "#phoneNumber").focus();
        $(
    "#phoneNumber").mask("9999999999");
        $(
    "#year").mask("9999");
        $(
    "#month").mask("99");
        $(
    "#day").mask("99");
    });
    $(
    "#register-button").click(function() {
        $(
    "#register-form").submit();
        return 
    false;
    });
    $.
    validator.addMethod(
            
    "regex",
            function(
    valueelementregexp) {
                var 
    check false;
                var 
    re = new RegExp(regexp);
                return 
    this.optional(element) || re.test(value);
            },
            
    "Please check your input."
    );
    $(
    "#register-form").validate({
        
    rules: {
            
    phoneNumber: { requiredtrueregex"07(\\d){8}" },
            
    password: { requiredtrueminlength4regex"^.*(?=.{6,})(?=.*[a-zA-Z])(?=.*[0-9]).*$" },
            
    password2: { requiredtrueminlength4regex"^.*(?=.{6,})(?=.*[a-zA-Z])(?=.*[0-9]).*$"equalTo"#password" },
            
    email: { requiredtrueemailtrue },
            
    email2: { equalTo"#email" },
            
    year: { requiredtruedigitstrueminlength4maxlength4min1900max: new Date().getFullYear() },
            
    month: { requiredtruedigitstrueminlength2maxlength2min1max12 },
            
    day: { requiredtruedigitstrueminlength2maxlength2min1max31 }
        },
        
    errorPlacement: function(errorelement) {
            
    element.parent().parent().addClass("error-resize");    },
        
    success: function(label) {
          
    elementName "#" label.attr("for");
          $(
    elementName).parent().parent().removeClass("error-resize");
        },
        
    submitHandler: function() {
            var 
    = $("#register-form");
            $(
    "#loading-animation").show();
            $.
    post(f.attr("action"), 
               
    f.serialize(),
               function(
    data) {
                   $(
    "#loading-animation").hide();
                   if(
    data.indexOf("register-error") != -1) {
                        if(
    data.indexOf("Account already exist") != -1) {
                          $(
    "#account-message").show();
                          $(
    "#agreement-message").hide();
                        } else if(
    data.indexOf("agreement") != -1) {
                          $(
    "#agreement-message").show();
                        } else {
                          $(
    "#account-message").show();
                          $(
    "#agreement-message").hide();
                          $(
    "#error-message").show();
                        }             
                    } else {
                       $(
    "#TB_ajaxContent").html(data);
                   }
               }
            );
            return 
    false;
        }
    });
    $(
    "#tb_close_button").click(function(e) {
        
    tb_remove();
        return 
    false;
    });
    $(
    "#register-form input").keydown(function(e){
        if (
    e.keyCode == 13 && $("#register-form").validate()) {
            $(
    "#register-form").submit();
            return 
    false;
        }
    });
    </script> 

  4. #4
    Registered User
    Join Date
    Jul 2007
    Posts
    61
    Blog Entries
    1
    got the same result.

    and yes. all the 3 lines (phone, pass1 and pass2) with 'regex' parameter were screwed up.

    dunno about regexp, but it seems the 'regex' function declaration looks strange..

  5. #5
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Thanks for your replies!

    Even though this does not solve the real exercise, it's helpful to see that code, in order not to go mad.

    I have analyzed the difference in the dynamic DOM source between the scenarios of loading that "window" in it's own browser window, and loading it "AJAX style" into a DIV layer (as is done by default).

    For some reason, the jQuery code that you found is completely vanished in the latter case, but for some reason left intact in the former case. And note that I'm not talking about the static source of that page (i.e. as sent over the wire from the server), but rather the dynamic DOM source, as resolved dynamically from the page DOM after having completed the page loading.

    For those not much into HTML/DOM/Javascript reversing, these two types of source are very different, and the static one can always be viewed with the "View page source" option in Firefox if the page is loaded in a single static block, or captured in pieces by means of an intercept proxy if it's an AJAX style page where the page components are loaded separately with XMLHttpRequest() calls (since the static source given by the "View page source" will only show the static "base page" in that case). The dynamic DOM source on the other hand can be queried from the browser by means of debug APIs, which are being used by several useful Firefox extensions, e.g. the well-known Firebug debugger, and also e.g. another useful extension I often use, called "View Source Chart".

    The problem in this case is that as long as this "window" with the form is loaded as intended (i.e. AJAX style), the jQuery script elements that contained the code you found simply aren't there in the dynamic DOM source, while they are apparently left in this very same dynamic DOM source if you open this "window" in its own browser window.

    But, as mentioned in my original post above "my main goal is to dynamically be able to resolve the event code connected to the text boxes, not necessarily to locate the code that assigns it". This is for the very simple reason that if they would only have packed/obfuscated that JQuery code that you found, you would not have been able to find it that way (i.e. neither by viewing the dynamic DOM source or by viewing/intercepting the static source). That's why I want to be able to resolve the event code dynamically, after the fact (i.e. after the target has been "unpacked and loaded", just like when you dump packed x86 targets).

    This is apparently not even possible in the separately opened browser window version of the code (the events don't even seem to be attached correctly to the text boxes in this case, most likely due to all the jQuery and CSS includes that are not available in this separate window), but even if it would be, it would still not be completely relevant to the core question, since if the form window would not be opened by means of a simple HTML link, but rather by means of (possibly packed) Javascript code, you would not be able to open it in that separate window in the first place (in any simple way).

    The moral of the story above is that if a protector would just open that new AJAX "window" by means of packed/obfuscated Javascript code, and also pack/obfuscate the jQuery code that defines those events, we, as reversers, would be toast if we cannot resolve the event code dynamically. Being able to "handle" that situation is the entire underlying objective of this little exercise.

    So, the question remains, how can we dynamically resolve/obtain the source of arbitrary event handlers of DOM objects like this on a page, and why does the EventBug plugin fail to do this on this page?



    Oh, and regarding that regexp, it's actually a correct regexp in this context, even if they make some stupid/unnecessary use of lookahead quantifiers, which are practically the most incompatible feature of regular expressions between different regex implementations.

    Those quantifiers should actually be supported by Javascript regexps using that syntax though, so now I'm also a little curious why this code is broken?

    Dion, you mention above that you see some errors in the jQuery syntax defining the regex code, rather than in the regexps themselves? Could you possibly clarify this further? (I'm no jQuery pro)

    Again, thanks a lot for your replies, and even more thanks for the ones you are about to write.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  6. #6
    Registered User
    Join Date
    Jul 2007
    Posts
    61
    Blog Entries
    1
    i'm not jquery expert too

    neither i am fluent in javascript. but from the declaration :
    Code:
    "regex",
            function(value, element, regexp) {
                var check = false;
                var re = new RegExp(regexp);
                return this.optional(element) || re.test(value);
            },
    exactly 3 param, where pass2 can pass 4. and the other is, re.test(value), from which the value itself is seems always true (for all 3 line). also, where the 'check' var going in the end??

  7. #7
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5
    Quote Originally Posted by dELTA View Post
    ...Firebug debugger...
    The Opera Dragonfly debugger picks up the popup registration box inline javascript, but kind of hidden under the Scripts dropdown box and labelled as "Script id:1053".

  8. #8
    I have limited knowledge of Ajax.........

    I dont think it can handle more then one "submit" at a time.

    Woodmann
    Learn Or Die.

  9. #9
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Thanks for the info Kayaker, I guess we have found a good protector trick then (for the time being anyway)...

    Thanks also for the clarification dion. The only part of that code I don't know what it is is the "this.optional(element)". The problem is though that if this "regex" function returned true all the time, there shouldn't be any validation problem at all, since that should mean that the validation was "ok", hmm...?

    I will try to talk to the EventBug developers and see what they have to say about it anyway.

    In the meantime, the morons at the telecom company still haven't fixed their buggy code, so I bypassed it with some injected Javascript code in order to be able to continue using my phone.

    But that's not the point anyway, I don't like this protector's trick, and I won't be happy until EventBug can show me all dynamically assigned DOM event handlers, so stay tuned...
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  10. #10
    Honza
    Guest
    Hi All,
    dELTA reached me through email and here is my observation, related to the Eventbug extension problem.

    I did following:

    1) Install Firebug 1.6b8 + Eventbug 1.5b3 http://getfirebug.com/releases/eventbug/1.5/eventbug-0.1b3.xpi
    http://getfirebug.com/releases/firebug/1.6X/firebug-1.6X.0a8.xpi

    2) Load http://www.comviq.se/tanka.html

    3) Search this page for the string "skapa ett h", and click the link that makes up the word starting with the "h" in the end of that string

    4) A form appears. The important text box is labeled as "Lösenord (minst 6 tecken varav en bokstav och en siffra)"

    5) Select the HTML panel in Firebug and consequently Events side panel.

    6) Use the HTML inspector and select text box from #4

    7) The proper <input> element is selected in the HTML panel and I see bunch of event handlers (also keyboard related) that are associated with it in the Events panel. Most of the keyboard-related events are saying "not implemented in Javascript", but there is one keydown for which I see

    function () {
    return typeof o !== "undefined" && !o.event.triggered ? o.event.handle.apply(arguments.callee.elem, arguments) : g;
    }

    So, this could be the glue you are looking for?

    There is also a link that should point to the right place in the code, which doesn't work for me. So, there seems to be two problems, one is that you don't see the source of the handler and the second related to the link.

    Do we have the same results?
    Honza
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    Honza
    Guest
    Related issue report in official Firebug list:
    http://code.google.com/p/fbug/issues/detail?id=2940

    Honza
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Hi Honza, nice to have you here!

    (for those who don't know, Honza is the author of the EventBug plugin)

    I have now again performed the exact steps that you mention in your post, and I do not get the same results actually. The difference is that I don't get the source code (the glue code that you mention in your post) for any of the handlers.

    Please see the screenshot attached to this post, for my exact results.

    There is indeed one keydown handler that does not have the "(not implemented in javascript)" marker in the list in the event panel, but once you expand it, there is only a message saying "1 not implemented in javascript".

    Again, please see the screenshot below, to see exactly how it looks. I can also add that the keydown handlers you see in the screenshot are all that are present in the panel list, so nothing relevant is outside of the screenshot.

    Finally, there is one known difference between my setup and yours though, I'm using the last official/auto-updated version of Firebug (1.5.3), while you state above that you are using a 1.6 beta. Might that be affecting this? I will try to install that same beta a little later, and get back to you about the results anyway.

    The EventBug version is the same though (even though it is a little confusingly named, you call it "1.5b3", while the addons list in Firefox lists it as "0.1b3", which is also in the filename of the xpi URL you mention in your post above, even though that URL also contains "1.5" in another part of the URL ).

    Oh, and yes, I did indeed use the "Refresh" button of the Events tab, but it did not make any difference.
    Attached Images Attached Images  
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  13. #13
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Hi again Honza,

    I have now tried it with the exact same version of everything as you (Firefox, Firebug and Eventbug), and the problem still remains exactly the same.

    Please see the screenshot below (where I also moved all the relevant version info windows into a position in the screenshot, to eliminate any suspicion about my software versions).

    Damn, I really hate these kind of problems, where lot of users experience a bug, but it works just fine for the developers (except for that related link issue in this case), and thus cannot be debugged easily.

    Honza, could you please take a look at these screenshots of mine to see if there is any chance I may have misunderstood anything?

    Also, if you have any ideas for things I could test in order to help you debug this, please just let me know, I would be more than willing to do that.

    Btw, maybe you could try it yourself in a clean VMware machine or similar? As a developer of this application, I can imagine that your machine is quite an "unusual environment" test-case-wise?

    Thanks for any help or comments anyway!
    Attached Images Attached Images  
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  14. #14
    Honza
    Guest
    Yeah, you are right the latest Eventbug is *0.1b3*

    ---

    After some further testing I am able to see the problem (the keydown event handler doesn't show the source, even if apparently implemented in JS).

    The difference is that Firebug is off (Firebug status bar icon is grey) at the time when the page is loaded.
    If Firebug is automatically activated for the page (ie FB UI opened when the page is loaded) it works for me.

    Can you check these two cases on your machine?

    My configuration:
    Firefox 3.6
    Firebug 1.5.3
    Eventbug 0.1b3

    Honza
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    Honza
    Guest
    I have fixed two bugs that could help to solve this issue, see more
    http://code.google.com/p/fbug/issues/detail?id=2940#c3
    (please try Eventbug 0.1b4)

    Also, Eventbug is using some debugger features so, the Script panel must be enabled (since the page load as I mentioned above).

    The Eventbug UI should somehow indicate the dependence on the Script panel (and inform the user if it's disabled)

    Honza
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Javascript obfuscation
    By Foreigner in forum The Newbie Forum
    Replies: 1
    Last Post: September 13th, 2013, 03:14
  2. RCE exercise for beginners
    By niaren in forum Mini Project Area
    Replies: 22
    Last Post: January 6th, 2011, 16:18
  3. Javascript for IDA Pro
    By Hex Blog in forum Blogs Forum
    Replies: 1
    Last Post: August 8th, 2009, 11:23
  4. Need a Javascript/IE setup guru
    By roocoon in forum Off Topic
    Replies: 8
    Last Post: February 2nd, 2005, 03:10
  5. Brute force exercise
    By ZaiRoN in forum Mini Project Area
    Replies: 13
    Last Post: December 9th, 2002, 21:32

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •