Sunday, June 7, 2009

Very Cool jsunpack-n release: JavaScript Decoding on the Network (The Future)

My favorite tools to decode JavaScript today are for security research and often have too little impact because administrators must find URLs, submit them for research, and it requires significant additional effort. There is no current way to detect threats against a real network using these tools in an automatic manner.

Until now! I started building a tool that is useful to administrators defending networks. The main difference is that it is a completely passive JavaScript decoder to perform Intrusion Detection, by processing network traffic (either an interface or pcap file), rather than URLs.

I built a basic implementation of this concept as a new version of "jsunpack-network" or (jsunpack-n). Some of the benefits of this technique are:

  • Tracks streams and decodes Transfer and Content encodings of types chunked and gzip.

  • Completely passive: Don't need to worry about User-Agents, proxies, or other tricks that attackers use to prevent analysis

  • Detect if an exploit is successful: the system monitors all URLs. It can determine if an exploit would fetch another URL and when the client requests that URL, the system knows that the exploit was successful.

The source code for this project is available from Here is an example output using the test file (included in the jsunpack-n.tgz archive):

$ ./ sample-http-exploit.pcap
DECODED JavaScript Data
exploit_watch append hxxp://

The exploit_watch variable tracks all URLs to track if an exploit is successful and if it is, then the script prints the associated IP addresses and URLs:

print 'Exploit Successful ', tcp.addr, ' from URL ', exploit_watch[host+url]

Since this project is very new, I expect there will be a few issues and therefore you run this at your own risk. I am releasing this code as alpha/unstable, because I think that there is a lot of opportunity to improve it.

Two of the areas that are completely lacking at this point are

  • signature-based detection

  • pdf decoding

I am releasing a PDF decoding script with this code, available in the jsunpack-n.tgz archive called ""; however, I haven't integrated it with jsunpack-n yet. While this should be a simple task, I'm still testing and improving the PDF decoding, as it now only handles a few of the decoding techniques I'd like it to support.

Please leave me your comments (good or bad), to improve the project. I haven't fully integrated jsunpack's algorithms yet (I will soon, I promise).

1 comment:

  1. Interesting work. One thing you might consider is looking at vortex. It uses libnids under the hood also. It could allieviate performance issues associated with live capture, faciliate multiple parallel instances of the js analyzer, and abstract away all the network issues so you only have to worry about acting on streams of data.