Tuesday, January 14, 2014

JSDetox 0.2 released

I commited some changes to JSDetox last december, fixing some bugs and introducing new features. The following bugs are now fixed:
  • Handling of anonymous function calls (see Issue #7)
  • Upload of files containing UTF-8 characters (see Issue #9)
  • Handling of Prefix/Postfix Operators (like "i++") in static analysis (thanks to Jackmcbarn)
The JavaScript parsing library used in JSDetox (rkelly) is not maintained anymore, so I removed the ruby gem dependency and included the source with JSDetox to allow bug fixes and improvements.

Appart from the bug fixes, the following improvements/features got implemented:
  • Optimized plugin handling, improving analysis performance
  • Code execution now allows the optional execution of "eval()" statements (thanks to Jackmcbarn)

Jackmcbarn found an obfuscator creating code that led to an error when executed with JSDetox. He tracked the problem down to this code:

function a() {
        /* ... */
}
function b() {
        eval("b = a");
        b();
}
b();

JSDetox logs "eval()" statements and allows the analysis of the code that would be executed. In this case, that behavior leads to code that never returns, and due to the recursive function calls of "b()" this leads to a stack error.
JSDetox now provides the option "Execute eval() statemernts" in the right pane:
When this option is executed, the evaluated code gets logged (allowing further analysis) and executed. JSDetox now detects when too many eval() statements are executed, aborts the execution and provides a hint to the new option.