Bananascript.com
Internets most efficient javascript compression tool




2008-02-09 jQuery inside a stylesheet?
Yes, it can be done.

I have made an example that demonstrates how malicious javascript can be hidden in not so obvious places. In this (harmless) case, the entire jQuery library, version 1.2.3, has been minified, obfuscated, compressed, encrypted, then compressed some more and finally stored in a stylesheet.
Another javascript file, which is also minified/obfuscated/compressed/encrypted, loads this external stylesheet, decompresses and decrypts it, then injects the resulting javascript into the document.

The example has only been written for IE and FF on Windows XP SP2. Safari and Opera can't run this example. Mozilla based browsers other than FF might work, but I have not tested it.

This example is just a "proof of concept" of an idea I got after reading an article where the author calls packer a security threat. I can't see how a compressed javascript which includes decompression code in clear view, could be a security threat. The decompression code itself is very short and does only simple string operations.
If anything would be a security threat, it would be the technique demonstrated here. Stylesheets are mostly seen as 100% harmless but can contain just about any malicious javascript code. Encrypting and compressing it without any visible decompression code anywhere and without a single recognizable character in the stylesheet, how would anyone know that something bad is hiding inside?

A couple of notes:
If the example hangs on "Loading stylesheet", reload and try again. There seems to be a timing error sometimes.
The original jQuery 1.2.3 file is 96763 bytes. Reduced here to 19845 bytes by combining my own compressor and Dean Edwards packer.
If you want to have a look at the stylesheet, then it's right here.


And again, the example is here.


1 comments:


bucabay says:
Good example. Yes, it would be hard to put the two together and realize there is malicious JS in there. However, just the fact that you have meaningless characters in the CSS selector should tip anyone off.
Posted Oct 28th 2009 at 01:46. Link




Add a comment:
Name:
Link:
Comment:
Antispam: Enter rmkst backwards in upper case


Statistics:
Average compression:76.1%
Highest compression:100.0%
Files compressed:96205
Bytes uploaded:3897708265
Bytes removed:2966760557
News & Updates: