Spotting Malicious Code Hidden in Plain Sight
Recently, Peter Jaric hosted a Javascript misdirection contest where contestants attempted to write elegant code to surreptitiously pass a generated key to a remote server. The trick of the contest, however, was to hide the malicious code in plain sight.
I decided that it would be good practice for me to try to get inside the head of a malicious coder, so that I could get better at watching out for it since I frequently experiment with obscure open source projects by authors of unknown repute.
Contest Entry
For my entry, I decided to try to disguise assignments within the evaluation portions of if statements as comparisons.
For example,
if (isvalid = validate(key,1))should actually be
if (isvalid == validate(key,1))Simple, but easily overlooked, and a common enough error to pass off as an “honest mistake”.
Because, in Javascript, assignments evaluate as true, in the code below, the index gets set to “2” at the first evaluation, and, because the first if statement is true, the interpreter skips the rest of the conditions, so the function always returns the key regardless of the original index input.
var validate = function(key,index){
var isvalid,debug_statement;
if (index = 2){
debug_statement = "test for key";
} else if (index = 1){
debug_statement = "test for validation";
} else if (index = 0){
debug_statement = "test for debug_statement";
} else {
index=0; debug_statement = "invalid index";
}
var validation = new RegExp("(\\d|[a-f]){8}-(\\d|[a-f]){4}-(\\d|[a-f]){4}-(\\d|[a-f]){4}-(\\d|[a-f]){12}");
if (validation.test(key)){
isvalid = true;
} else{
isvalid = false;
}
return [debug_statement,isvalid,key][index];
}Although many of the contest entries were far more advanced than my own, I found the competition to be an engaging exercise. Check out the winning submission and Peter Jaric’s analysis of the competition.