Scan Javascript for abusive functions and patterns

Question

We have an OpenSource Extension Similar like Greasemonkey only used in Firefox. Users can submit (Java)scripts for other Users to run. This gets abused by sending malicious code.

We want to rough autocheck in future with a script the submitted Code.

We don't allow or want to further investigate:

• making page requests
• obfuscation attempts

We already filter:

• btoa
• eval
• window.
• a regex for url's /^(http|https|ftp)://([A-Z0-9][A-Z0-9_-]*(?:.[A-Z0-9][A-Z0-9_-]*)+):?(\d+)?/?/i
• the above url regex adjusted for escape,encode,encodeURI,encodeURIComponent v.versa

What could help:

• other possible bad patterns & functions
• a regex to filter for obfuscation attempts

Thank you for your ideas !!

EDIT:

I guess this is it so far. Thanks to every contributor ! Would be welcome though to find a broadly valid regex to filter for already obfuscated code.

Answer 1

Community wiki

Add any ideas you have, and keep in mind that it is a rough check.

Tip beforehand: Also run the code through Google's Closure compiler, to easily get rid off constructs like window['e'+'v'+'a'+l]('....') and character escape sequences like \x65\x76\x61\x6c.

Do not only check for functional hazards. For example, typed arrays are an easy method to fill the memory with junk, causing instabilities at the user's OS. If the volume of scripts permit it, I recommend to test the script in a sandbox, e.g. in a VM.

window.pollute = new ArrayBuffer(2e9); // Reserves 2 GB of memory
while(1);                              // Infinite loops

Global objects (any permutation of these):

• window
• document.defaultView
• top
• parent
• frames
• self
• content

Other:

• The Function constructor and setTimeout / setInterval with a string argument - Eval in disguise
• document.createElement - Possibly injecting code or external resources.
• cloneNode / appendChild / replaceChild / insertBefore - Dangerous when combined with dynamic elements.
• document.scripts - Basically any DOM manipulation!
• document.cookie / localStorage / globalStorage
• XMLHttpRequest
• document.forms - HTTP requests
• document.anchors / document.links - Spoofing links?
• document.applets / document.embeds / document.plugins
• document.load - Loads a (XML) document
• document.execCommand - Executes a command on the current document
• Image / Audio - HTTP requests
• open (pop-ups)
• document.open / document.write / document.writeln - Replacing or injecting arbitrary data in the current page
• innerHTML / outerHTML - Same as previous one (outerHTML does not exist in FF)
• Many events plus setAttribute, addEventListener etc.
• Worker - Loading web workers from external sources (!)
• location / document.URL - Changing the page's location
• history - History / location manipulation (!)
• document.implementation - Creating arbitrary documents.
• DOMParser - Creating arbitrary documents.
• Object.defineProperty / __defineGetter__ / __defineSetter__ etc.
• WebSocket / MozWebSocket
• console or any property thereof
• debugger statement - acts like a breakpoint for debugging purposes
• InstallTrigger - A Firefox-specific object to manage installs.
• File / FileReader / FormData / MozBlobBuilder
• Packages / java

Obfuscation

.. detection can be done in 2 ways (searching the functions or the output).

Search for obfuscation Functions:

• unescape / escape
• encodeURIComponent / decodeURIComponent
• encodeURI / decodeURI
• btoa / atob
• /\\x[0-9a-f]{2}|\\u\d{4}/i - Pattern to match encoded characters.
• HTML entities (in conjunction with event attributes).

Search for obfuscation Output:

• Regex to search for strings greater than X, eg 23 [^']{23,}?