Bypassing Inline Javascript - For Fun and For Job Applications
As a recent tertiary graduate and - now - fervent job hunter, I am becoming very familiar with Australian IT recruiting firms' websites, their submission forms and how to dive into their murkily-coded depths in order to submit as much, little or varied forms of input in order to make my point and stand out from my peers. Most recently I was asked to provide my cover letter in plaintext, and in no more than 300 characters. I understand why they would impose restrictions like this but I simply had a little more to say and a few ideas about how I could get them to read it. First - and foremost - jump into your browser's developer mode (firebug in FF, built in - in chrome, no idea about IE because nobody uses IE...) and examine your opponent's employer's code. In my case the submission sanitisation was written with inline javascript which is totally fantastic for security (oh, oh lol no). I determined that the submission button called a javascript function, which then jumped off into a myriad of hosted .js sanitisation scripts which look like they'd been bought for bargain basement prices. The beauty of this - er - firm's submission scripts was that after the sanitisation all returned true it simply called the 'submit()' function and threw everything at their mail server, as long as the function didn't exit before that final call. Now, in modern browsers you can not only modify js, php, etc. values on the fly - as it's executing - but you can throw breaks into the page and provide your own snippets of code to be executed before the break skips on. In they who shalt not be named's submission form I simply punched in all of the details I wanted sent, threw a break before the sanitisation scripts and then clicked 'submit'. Once the script broke I simply called the 'submit()' function and - TADA! - my details were ferried off to the HR goons' inbox, with all 800 cover letter words included. It was a coin toss, really. Break their code for a security position and they'll be intrigued or they'll hate you immediately. (DNS enum'd another potential employer recently and brought up web-facing - but should definitely be internal - servers and that they were several revisions behind in certain software [read:PoC targets] and I was stonewalled and shown the door). Two days later I received a rejection email from Awful WebDevs Incorporated without a hint of curiosity as to how I'd provided three times as much information as other candidates. Or more importantly how I broke their submission engine and what that means for their systems security. If I were on their team I'd certainly be a *little* curious as to why our shit was wrecked. 500 extra characters sent is one thing - but what if it was an infected .pdf (a disallowed format I sent successfully, subsequently landing in some HR guys inbox), embedded code or something worse. I'll provide some pics at a later date but just thought I'd smash out this rant while it was fresh. Keep your current team, guys, they're doing great.













