CTF Support
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. CTF Support
  2. /
  3. Web
  4. /
  5. JavaScript
Edit page

JavaScript

Obfuscation

Multiple obfuscation techniques can be deobfuscated using de4js, or JavaScript Deobfuscator.

Deobfuscating Obfuscator.io can be done using Obfuscator.io Deobfuscator.

Vulnerable Packages

If there’s access to package-lock.json, a check for vulnerable packages can be done by running the command npm audit in the same directory as package-lock.json.

# npm audit report

ion-parser  *
Severity: critical
ion-parser Prototype Pollution when malicious INI file submitted to application that parses with `parse` - https://github.com/advisories/GHSA-7vrv-5m2h-rjw9
fix available via `npm audit fix`
node_modules/ion-parser

1 critical severity vulnerability

Other tools like Snyk CLI can be used to achieve the same results.

Prototype Pollution

Prototype pollution is a vulnerability that allows an attacker to modify the prototype of an object and potentially execute arbitrary code.

For example, consider the following code:

const merge = require('deepmerge');

let obj = {};
let payload = '{"__proto__": {"polluted": true}}';

let result = merge(obj, JSON.parse(payload));

console.log(obj.polluted); // true

In this example, the merge function merges the obj object with the payload object. The payload object has a property __proto__ that modifies the prototype of the obj object. As a result, the obj object now has a polluted property.