JS-Tap: Weaponizing JavaScript for Red Teams – Drew Kirkpatrick

How do you use malicious JavaScript to attack an application you know nothing about?

Application pen testers often create custom weaponized JavaScript payloads to demonstrate potential impact to clients. Documents are stolen, privileges escalated, or account transfers initiated, depending on what the “crown jewels” are for that client.

Payload development for pen testers is simplified by authenticated access that is typical during application assessments. Pen testers already know what sequence of requests and responses are required to achieve a particular goal when they develop a payload.

Red teams have a different set of challenges and opportunities that are often not conducive to developing tailored JavaScript payloads. Custom applications often have unknown functionality and require a generic payload. Red teams also have opportunities to introduce malicious JavaScript beyond XSS vulnerabilities.

A new open source tool (JS-Tap) will be introduced that is designed to allow red teamers to attack applications using generic JavaScript used as either a post exploitation implant or an XSS payload. When used as an XSS payload, JS-Tap uses a novel persistence technique called an iFrame trap to extend execution time.

JS-Tap captures sensitive data as users interact with the application including screenshots of pages visited and inputs entered by the user such as login credentials. Cookies and local storage are scraped, potentially disclosing sensitive session data. HTML content is also captured providing the application insight needed to develop targeted XSS payloads for future attacks.

Critically, the payload makes no requests to the application server itself.