[TriLUG] NSFW?
Igor Partola via TriLUG
trilug at trilug.org
Wed Mar 18 16:53:37 EDT 2015
Hey, we can fit quite a bit of stuff into whitespace:
http://www.securitytube.net/video/3670
For those not able/willing to watch a video, the approach is to encode a
<script> HTML tag with JavaScript inside as ASCII. Then represent the ASCII
in a binary format where the Tab character is 0, and the Space character is
1. You write your malicious code like so, put it into a web page, then add
a small decoding function at the bottom that creates a <script> tag with
the decoded source code inside.
The idea is that someone inspecting your code will only ever see really
long lines of whitespace, followed by a short innocuous looking JS function.
Igor
More information about the TriLUG
mailing list