6

I'd like to determine if a given JavaScript contains the logic to make a AJAX/WCF call, or determine if one is being executed at runtime.

Does anything like this exist?

AviD
  • 72,138
  • 22
  • 136
  • 218
makerofthings7
  • 50,090
  • 54
  • 250
  • 536

3 Answers3

4

Im using Firefox plugin called JavaScript Deobfuscator. This works very well as Im able to see all scripts that are compiled and all executed scripts. This updates on the fly, and contains good details on all the executed scripts.

You can also use filters to only capture javascript on a given domain. This plugin has helped me a lot in web pentesting.

You can find it here https://addons.mozilla.org/en-US/firefox/addon/10345/

Quote from the plugin page:

This add-on will show you what JavaScript gets to run on a web page, even if it 
is obfuscated and generated on the fly. Simply open JavaScript Deobfuscator from the
Tools menu and watch the scripts being compiled/executed.
Scott Pack
  • 15,167
  • 5
  • 61
  • 91
Chris Dale
  • 16,119
  • 10
  • 56
  • 97
2

If you want to examine the javascript, ala code review, @joni's answer is best - search for XMLHttpRequest, but also eval, relevant JQuery methods, and might as well include image tags, script tags, XML tags, and any other tag that can retrieve a remote URI - CSS included.

However, if you have the option it would be much simpler to determine at runtime - simply attach a sniffer or proxy, and watch what happens.
Of course, you'd still have to make sure to trigger whatever conditions set it off, but still much simpler.

AviD
  • 72,138
  • 22
  • 136
  • 218
0

Simple would be to just grep for XMLHttpRequest. But this is far from complete, because there are plenty of other ways to set up a HTTP request (e.g. by adding an image or script tag to the DOM). Additionally, a malicious user could use eval() in combination with rot13 or whatever else obfuscation function, and I bet there are thousands of other cheap tricks. The answer is, you'd have to implement a complete Javascript engine which executes the code in a sandbox and then traces any request.

joni
  • 109
  • 3