Announcing the Netsparker white paper: Deobfuscating JavaScript
This blog post announces the publication of a Netsparker white paper called Deobfuscating JavaScript Code: A Steam Phishing Website, which examines a real world example of obfuscation in a phishing page that aimed to steal Steam credentials. It also charts the phases and techniques used in the deobfuscation process as the code is cleaned up.
Your Information will be kept private.
Your Information will be kept private.
The topic of this white paper is an example of how to deobfuscate JavaScript code as it's often used in phishing pages. Deobfuscation is the process used to convert a program that has deliberately been made difficult to read (obfuscated), into one that is more straightforward and simple to understand. Obfuscation can be used for legitimate purposes, for example to protect proprietary source code, but it can also conceal malicious intent, so it is important from a security perspective.
This white paper focuses on a specific instance of real world obfuscation. In this case, the example of What Happened? is provided by a phishing page that aimed to steal Steam account credentials. Phishing is a type of online fraud that uses a spoofed website to lure people into providing personal information. The code for a part of this fake site was written in JavaScript and then obfuscated.
By focusing on this example, as explained in A Word Before We Start Deobfuscating, the white paper is able to clarify how the the obfuscation process works and how the attacker approached various problems during the development of their phishing page. There are many other obfuscation techniques that signature-based detection tools might miss. Therefore, deobfuscating JavaScript is useful for the detection of malicious code as well as security bugs.
As the white paper is practical in orientation, it contains code snippets as well as relevant technical explanations. A section of the white paper consists of a Brief Overview of the Obfuscated Code. This examines ten components responsible for running the script. Each is displayed and explained. This allows readers to easily jump from each of these obfuscated code snippets to its deobfuscated counterpart.
The next section, Cleaning up the Code, renames some variables and moves some array keys in order set the groundwork for deobfuscation. Ten instances of obfuscated code are repeated in partially deobfuscated form. Deobfuscation remains incomplete, however, until the next sections of the white paper.
First, in Replacing All the References, as many of the references with their actual values are replaced as possible. The bloated codebase is made comprehensible, and unimportant functions are removed. The last deobfuscation stage is in Finally We are Done! Or are We?. A JavaScript code beautifier – a program that improves the presentation of programming source code – is helpful but it still requires manual work to finish off the deobfuscation process.
After discovering how the script works, the white paper shows how the phishing page worked and a similar phishing page is created with little effort. Finally, the white paper asks What Can We Learn? and offers some practical advice for avoiding this kind of phishing attack. It concludes with Further Reading suggestions.
Sounds interesting? Wait until you learn the details of what code and tactics malicious hackers used – manipulating arrays, functions, loops and variables, to deceive web users into thinking they were using a popup on one website when in fact they were redirected to a cleverly disguised HTML element of another website.
Get the full white paper here: Deobfuscating JavaScript Code: A Steam Phishing Website.