Function Corruption

07Jul06

Function Corruption is very closely related to XSS. The difference being in XSS, you inject your own JavaScript action, while in Function Corruption you inject new data for arguments of functions that already exist on the page. Function Corruption can very commonly used in a place that XSS if strictly filtered.

First of all, we need to locate a HTML injection hole. I am sure most of you are very familiar with this, so I will skip finding an HTML hole. If you don’t know what HTML injection is, there is a great article on it somewhere in the pile of articles.

Now, we find a Function Corruption hole. Look at the source code of where the html will be displayed, look for JavaScript functions that have arguments. An example

function myfunction(argument)
{
document.getElementById(‘image’).src=argument
}

This is a function to change the source of an image, presumably to change a button or something. You will introduce your own arguments to this script that will make the image become what you want it to be, or you can manipulate other functions, you just have to be creative and know JavaScript)
Underlined is the argument to look for. Any function that looks like this will not work:

function alertbox()
{
alert(“hello world”)
}

It will my not work because there is no argument (underlined). You may be able to do something with it, but it will most likely be lame.

On to the exploit, you work the exploit is a very similar fashion to XSS. You will be injecting a link, a button, or a body onload event. Assuming we are exploiting the first sample script (the one with the image) we call the event with our own arguments. Now, a very tasty little trick is that when you call functions in certain ways, you don’t need the word “JavaScript” which is usually filtered.

So far, I have found a few of these places

Example:
On a “onmouseover”

<a href=”whateaver.com” onmouseover=”myfunction(‘new image location’)”>lin
k</a>

On “onload”

<body onload=”myfunction(‘new image location’)”>

This is kind of a tricky exploit, as you need to understand the functions and how to manipulate them. It is almost impossible to do this exploit without a little knowledge of html and JavaScript. You just have to get creative with what arguments you put in.

Filed under: Hacks, Uncategorized   |  Leave a Comment