Posts Tagged ‘javascript’

There are a ton of ways to brute force login forms, you just need to google for it and the first couple of hits will usually do it. That is of course unless you have Burp in which case it will be sufficient for most of the forms out there. Sometimes however it will not be so straight forward and you’ll need to write your own tool(s) for it. This can be for a variety of reasons, but usually it boils down to either a custom protocol over HTTP(S) or some custom encryption of the data entered. In this post we are going to look at two ways of writing these tools:

  • Your own python script
  • A Greasemonkey script

Since to write both tools you first need to understand and analyse the non-default login form let’s do the analysis part first. If you want to follow along you’ll need the following tools:

  • Python
  • Burp free edition
  • Firefox with the Greasemonkey plugin
  • FoxyProxy
  • FireFox developer tools (F12)

Please note that even though we are using some commercially available software as an example, this is NOT a vulnerability in the software itself. Most login forms can be brute forced, some forms slower than others ;) As usual you can also skip the blog post and directly download the python script & the Greasemonkey script. Please keep in mind that they might need to be adjusted for your own needs.



So I’ve been trying to get more information about the funky world of JavaScript deobfuscation. It’s really fascinating what kind of protective measures and obfuscation JavaScript can reach. So whith what kind of stuff have i been playing around?

SpiderMonkey FTW!

No really, it’s easy, it’s proven and it works.  Installing is really easy…lotsa documentation also. The best part of it was that…spidermonkey does not have default support for things like document.write(); After googling I found out about 2 ways to achieve it. The first method involved changing the C files and recompiling and such…the other method was so much easier. Have a look:

part1 for a nice introduction

part2 with the solution to add document.write(); support.

For the ones interested here is the method where you need to recompile spidermonkey and such.

There are a lot more of interesting deobfuscation tools out there to play with though.

Ultimate deobfuscator


So this has been my little introduction to javascript deobfuscation I will certainly keep playing it’s fun, I never thought javascript could be used for so much evil but fun things.