
Backdooring JavaScript using minifier bugs - joshsharp
https://zyan.scripts.mit.edu/blog/backdooring-js/
======
yoz-y
I wonder. Should one ever use minified javascript code on a server? Assuming
that you are using it on your own server and not distributing the code to
clients.

Is there any benefit to it?

~~~
phpnode
> Is there any benefit to it?

Well, in theory yes. When determining whether a specific function can be
inlined into its call site, V8 looks at the length of the function _source
code_ to try and guess whether it's worth it. Functions longer than 600
characters (including comments) cannot be inlined and therefore they will
typically be slower.

Whether that makes any meaningful difference to your application performance
really depends on the application. In most cases it won't.

~~~
StavrosK
Wait, what if you have really really long comments? Or do they get stripped
out beforehand?

~~~
phpnode
Comments affect this heuristic, so yeah, commented code can be slower.

------
jand
Nice to read text on a clever find.

Could somebody please confirm or invalidate my understanding, that this
backdoor is just exploitable in addition with other (severe) issues?

An attacker would have to have the ability to tailor/manipulate JS scripts
which should be under control of the victim?

Or am i mistaken?

~~~
bcrypt
That's correct. I did not discover vulnerabilities in existing libraries or
add backdoors to any of them. :)

The attack scenario described in the post is (1) attacker writes some
plausible-looking patches to an existing library like jQuery, (2) attacker
convinces library maintainer to merge the patches, (3) someone builds the
library with a buggy minifier, which creates the actual backdoor.

~~~
tracker1
It's interesting all the same, It's kind of why exploits in very popular
things like wordpress become problematic for so many for so long.

------
NullCharacter
Really slick. To translate the idea behind compiler backdoors to JS minifier
backdoors is pretty clever.

------
hspak
Applying DeMorgan's Law to reduce a few characters in JS seems really
overkill...

Reading this makes it seem hardly worth saving a few bytes over.

------
samuellb
This makes me think that there could be similar bugs in the browser, when it
JIT-compiles or optimizes Javascript code. That could be used to take control
of the whole browser/OS if used in an add-on/extension (given that it has
sufficient privileges).

~~~
makomk
There have been similar bugs in browser JITs that allow websites to escape the
sandbox - usually incorrect optimisations that cause the JIT to elide bounds
checks when it can't safely do so, probably since those are the easiest to
exploit.

