The Invisible JavaScript Backdoor

The approach for creating the backdoor was to first, find an invisible Unicode character that can be interpreted as an identifier/variable in JavaScript. Beginning with ECMAScript version 2015, all Unicode characters with the Unicode property ID_Start can be used in identifiers (characters with property ID_Continue can be used after the initial character).

The character “ㅤ” (0x3164 in hex) is called “HANGUL FILLER” and belongs to the Unicode category “Letter, other”. As this character is considered to be a letter, it has the ID_Start property and can therefore appear in a JavaScript variable – perfect!

Next, a way to use this invisible character unnoticed had to be found.

Posted by SH

Leave a Reply

Exit mobile version