So when your IPS alerts on suspicious JavaScript (which is almost never blocked in a default configuration), you can:
- A) Investigate, get a sample of the offending page and potentially spend hours trying to work back through it by hand.
- B) Investigate, browse the page with your browser to see what happens, and potentially get pwned.
- C) Ignore it, and hope the local AV got it.
Today, however, I ran into a higher-than-usual volume of alerts, all of which were based on the presence of an unescape() call. In anticipation of having to do this again, and the VM being a poor solution to begin with, I built a Java sandbox, starting with a JavaScript interpreter.
Here's the recipe:
1. Cygwin (optional, but you know I love it, and it makes certain things easier)
2. Current Sun JRE for Win32
3. Rhino JavaScript engine
Create an unprivileged local user who's not even a member of 'Everybody'. You're never going to log in as this user anyway. Now unpack the JRE and Rhino to a directory where that user can view them. If you have Cygwin, build a home directory for your user, and then create a bash shell shortcut with that directory in the "Start In" line. Now use RunAs to launch your shell as the unprivileged user, and start Rhino:
Now you can dump JavaScript to the shell and watch it execute with relatively low risk of pwnage. Rhino also has a GUI debugger that's ideal for stepping through more advanced JavaScript trickery.
No comments:
Post a Comment