Goja JavaScript引擎替换Otto的全面教学文档<\/h1>

1. 背景与动机<\/h2>

Yaklang引擎原本使用Robertkrimen\/otto(简称otto)作为JavaScript解释器，但遇到以下问题：<\/p>

otto的语法树解析实现存在缺陷<\/li>
处理压缩后的JavaScript第三方依赖(如CryptoJS)时出现解析错误<\/li>

性能较低<\/li> <\/ul>

因此决定采用dop251\/goja(简称goja)作为替代方案。<\/p>

2. Goja的优势<\/h2>

2.1 功能特性<\/h3>

完整的ECMAScript 5.1实现<\/li>
部分ECMAScript 6.0功能支持<\/li>

通过了大部分tc39测试套件(官方ECMAScript一致性测试)<\/li> <\/ul>

2.2 性能提升<\/h3>

比otto快6~7倍<\/li> <\/ul>

2.3 兼容性<\/h3>

80%的API保持不变<\/li>

升级对用户几乎无感知<\/li> <\/ul>

3. 不兼容点<\/h2>

以下功能可能存在差异：<\/p>

js.ASTWalk<\/code><\/li>
js.GetSTType<\/code><\/li>

Value<\/code>结构体方法<\/li>
<\/ul>
4. 新特性：内置第三方JavaScript依赖API<\/h2>
4.1 主要特点<\/h3>

快速使用JavaScript第三方依赖<\/li>
初次编译后缓存，后续无需重新编译<\/li>
解决常见库(如CryptoJS)的使用问题<\/li>
<\/ul>
4.2 使用示例<\/h3>
_<\/span>, value<\/span> = js<\/span>.Run<\/span>(`
<\/span><\/span><\/span>    CryptoJS.HmacSHA256("Message", "secret").toString();
<\/span><\/span><\/span>`<\/span>, js<\/span>.libCryptoJSV3<\/span>())
<\/span><\/span>println(value<\/span>.String<\/span>())
<\/span><\/span><\/code><\/pre>5. 实战案例：CryptoJS.AES(CBC)前端加密登陆表单<\/h2>
5.1 目标分析<\/h3>
分析Vulinbox靶场中的高级前端加解密与验签实战案例，前端使用CryptoJS.AES(CBC)模式加密登录表单。<\/p>
5.2 前端加密逻辑<\/h3>
var<\/span> iv<\/span> =<\/span> CryptoJS<\/span>.lib<\/span>.WordArray<\/span>.random<\/span>(128<\/span>\/<\/span>8<\/span>);
<\/span><\/span>
<\/span><\/span>function<\/span> generateKey<\/span>() {
<\/span><\/span>    return<\/span> CryptoJS<\/span>.enc<\/span>.Utf8<\/span>.parse<\/span>("1234123412341234"<\/span>) \/\/ 16位密钥
<\/span><\/span><\/span><\/span>}
<\/span><\/span>
<\/span><\/span>const<\/span> key<\/span> =<\/span> generateKey<\/span>()
<\/span><\/span>
<\/span><\/span>function<\/span> Encrypt<\/span>(word<\/span>) {
<\/span><\/span>    return<\/span> CryptoJS<\/span>.AES<\/span>.encrypt<\/span>(word<\/span>, key<\/span>, {iv<\/span>:<\/span> iv<\/span>}).toString<\/span>();
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>function<\/span> getData<\/span>() {
<\/span><\/span>    return<\/span> {
<\/span><\/span>        "username"<\/span>:<\/span> document.getElementById<\/span>("username"<\/span>).value<\/span>,
<\/span><\/span>        "password"<\/span>:<\/span> document.getElementById<\/span>("password"<\/span>).value<\/span>,
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>function<\/span> outputObj<\/span>(jsonData<\/span>) {
<\/span><\/span>    const<\/span> word<\/span> =<\/span> JSON<\/span>.stringify<\/span>(jsonData<\/span>);
<\/span><\/span>    return<\/span> {
<\/span><\/span>        "data"<\/span>:<\/span> Encrypt<\/span>(word<\/span>),
<\/span><\/span>        "key"<\/span>:<\/span> key<\/span>.toString<\/span>(),
<\/span><\/span>        iv<\/span>:<\/span> iv<\/span>.toString<\/span>(),
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>function<\/span> submitJSON<\/span>(event<\/span>) {
<\/span><\/span>    event<\/span>.preventDefault<\/span>();
<\/span><\/span>    const<\/span> url<\/span> =<\/span> "\/crypto\/js\/lib\/aes\/cbc\/handler"<\/span>;
<\/span><\/span>    let<\/span> jsonData<\/span> =<\/span> getData<\/span>();
<\/span><\/span>    let<\/span> submitResult<\/span> =<\/span> JSON<\/span>.stringify<\/span>(outputObj<\/span>(jsonData<\/span>), null<\/span>, 2<\/span>)
<\/span><\/span>    \/\/ 发送submitResult到后端
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>5.3 提炼加密代码<\/h3>
key<\/span> =<\/span> CryptoJS<\/span>.enc<\/span>.Utf8<\/span>.parse<\/span>("1234123412341234"<\/span>);
<\/span><\/span>iv<\/span> =<\/span> CryptoJS<\/span>.lib<\/span>.WordArray<\/span>.random<\/span>(128<\/span>\/<\/span>8<\/span>);
<\/span><\/span>
<\/span><\/span>function<\/span> Encrypt<\/span>(word<\/span>) {
<\/span><\/span>    return<\/span> CryptoJS<\/span>.AES<\/span>.encrypt<\/span>(word<\/span>, key<\/span>, {iv<\/span>:<\/span> iv<\/span>}).toString<\/span>();
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>function<\/span> getData<\/span>(username<\/span>, password<\/span>) {
<\/span><\/span>    return<\/span> {
<\/span><\/span>        "username"<\/span>:<\/span> username<\/span>,
<\/span><\/span>        "password"<\/span>:<\/span> password<\/span>,
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>function<\/span> outputObj<\/span>(jsonData<\/span>) {
<\/span><\/span>    const<\/span> word<\/span> =<\/span> JSON<\/span>.stringify<\/span>(jsonData<\/span>);
<\/span><\/span>    return<\/span> {
<\/span><\/span>        "data"<\/span>:<\/span> Encrypt<\/span>(word<\/span>),
<\/span><\/span>        "key"<\/span>:<\/span> key<\/span>.toString<\/span>(),
<\/span><\/span>        iv<\/span>:<\/span> iv<\/span>.toString<\/span>(),
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>jsonData<\/span> =<\/span> getData<\/span>("username"<\/span>, "password"<\/span>);
<\/span><\/span>submitResult<\/span> =<\/span> JSON<\/span>.stringify<\/span>(outputObj<\/span>(jsonData<\/span>), null<\/span>, 2<\/span>);
<\/span><\/span><\/code><\/pre>5.4 Yak爆破实现<\/h3>
for<\/span> user<\/span> in<\/span> ["user"<\/span>, "admin"<\/span>] {
<\/span><\/span>    for<\/span> pass<\/span> in<\/span> ["pass"<\/span>, "123456"<\/span>] {
<\/span><\/span>        vm<\/span>, _<\/span> = js<\/span>.Run<\/span>(`
<\/span><\/span><\/span>            key = CryptoJS.enc.Utf8.parse("1234123412341234");
<\/span><\/span><\/span>            iv = CryptoJS.lib.WordArray.random(128\/8);
<\/span><\/span><\/span>            
<\/span><\/span><\/span>            function Encrypt(word) {
<\/span><\/span><\/span>                return CryptoJS.AES.encrypt(word, key, {iv: iv}).toString();
<\/span><\/span><\/span>            }
<\/span><\/span><\/span>            
<\/span><\/span><\/span>            function getData(username, password) {
<\/span><\/span><\/span>                return {
<\/span><\/span><\/span>                    "username": username,
<\/span><\/span><\/span>                    "password": password,
<\/span><\/span><\/span>                }
<\/span><\/span><\/span>            }
<\/span><\/span><\/span>            
<\/span><\/span><\/span>            function outputObj(jsonData) {
<\/span><\/span><\/span>                const word = JSON.stringify(jsonData);
<\/span><\/span><\/span>                return {
<\/span><\/span><\/span>                    "data": Encrypt(word),
<\/span><\/span><\/span>                    "key": key.toString(),
<\/span><\/span><\/span>                    iv: iv.toString(),
<\/span><\/span><\/span>                }
<\/span><\/span><\/span>            }
<\/span><\/span><\/span>            
<\/span><\/span><\/span>            jsonData = getData(%#v, %#v);
<\/span><\/span><\/span>            submitResult = JSON.stringify(outputObj(jsonData), null, 2);
<\/span><\/span><\/span>        `<\/span> %<\/span> [user<\/span>, pass<\/span>], js<\/span>.libCryptoJSV3<\/span>())
<\/span><\/span>        
<\/span><\/span>        body<\/span> = vm<\/span>.Get<\/span>("submitResult"<\/span>).String<\/span>()
<\/span><\/span>        rsp<\/span>, _<\/span> = poc<\/span>.Post<\/span>(
<\/span><\/span>            "http:\/\/127.0.0.1:8787\/crypto\/js\/lib\/aes\/cbc\/handler"<\/span>, 
<\/span><\/span>            poc<\/span>.replaceBody<\/span>([]byte(body<\/span>), false<\/span>)
<\/span><\/span>        )
<\/span><\/span>        println(string(rsp<\/span>.RawPacket<\/span>))
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>6. 迁移指南<\/h2>
6.1 准备工作<\/h3>

确认现有代码中是否使用了otto特有的API<\/li>
备份现有项目<\/li>
<\/ol>
6.2 迁移步骤<\/h3>

更新依赖到goja版本<\/li>
替换导入路径<\/li>
测试核心功能<\/li>
检查不兼容点(如ASTWalk等)<\/li>
更新第三方JS库的调用方式<\/li>
<\/ol>
6.3 测试要点<\/h3>

性能基准测试<\/li>
功能一致性测试<\/li>
第三方库兼容性测试<\/li>
<\/ol>
7. 最佳实践<\/h2>

性能优化<\/strong>：利用goja的缓存机制，避免重复编译<\/li>
错误处理<\/strong>：增加对ES6特性的兼容性检查<\/li>
安全实践<\/strong>：隔离敏感操作的JavaScript执行环境<\/li>
调试技巧<\/strong>：利用vm.Get()<\/code>检查中间状态<\/li>
<\/ol>
8. 常见问题解答<\/h2>
Q1: 为什么我的otto代码在goja中不工作？<\/strong>

A1: 检查是否使用了otto特有的API或行为，特别是AST相关操作。<\/p>
Q2: 如何确保第三方JS库的兼容性？<\/strong>

A2: 使用js.libXXX()<\/code>系列函数加载标准库，并测试压缩和非压缩版本。<\/p>
Q3: 性能提升不明显怎么办？<\/strong>

A3: 检查是否有频繁创建VM实例的操作，尽量复用实例。<\/p>
Q4: 如何处理ES6特性？<\/strong>

A4: goja对ES6支持有限，建议使用Babel等工具转译为ES5。<\/p>

Goja JavaScript引擎替换Otto的全面教学文档<\/h1>

2. Goja的优势<\/h2>

4. 新特性：内置第三方JavaScript依赖API<\/h2>

5. 实战案例：CryptoJS.AES(CBC)前端加密登陆表单<\/h2>

5.1 目标分析<\/h3> 分析Vulinbox靶场中的高级前端加解密与验签实战案例，前端使用CryptoJS.AES(CBC)模式加密登录表单。<\/p>

6. 迁移指南<\/h2>

5.1 目标分析<\/h3>
分析Vulinbox靶场中的高级前端加解密与验签实战案例，前端使用CryptoJS.AES(CBC)模式加密登录表单。<\/p>