Following the data: Taint-tracing in the JS environment

Frustratingly enough, something fishy is going on with an input you're manually checking but you can't quite put your finger on it.

There must be something going on within the flow its value follows throughout the client-side but its complete behavior eludes you due to high complexity. Break-points need to be set and notes to be kept.

Well, fret no more! Codename SCNR to the rescue with its client-side data-flow tracing!


What I'm talking about is this:

  • You configure a taint for the JS environment -- i.e. a value that SCNR needs to track.
  • You operate the browser via a simple API -- Watir or Selenium.
  • You retrieve the flow trace and you're golden! Your job is done! Off to exploitation you go armed with all the information you could possibly need to make it happen. :)

Let's see this in action.

Suppose you have a web application like this:

ruby tmp/articles/taint_tracer/server.rb -o

You now have to create a simple script like so:

./bin/scnr_script tmp/articles/taint_tracer/script.rb

To get this result:

Cool right?

Older post Newer post

Leave a comment

Please note, comments must be approved before they are published