Friday, October 3, 2014

JavaScript Obfuscation - Hide in Plain Sight

JavaScript: Awesome, is it?

JavaScript--JS--can be a powerful resource when it comes to web programming,  but it can be a bit tricky since anyone (including hackers) can see the actual source code being embedded. This is particularly problematic if you intend to include application logic in your web pages, or you hope to make use of fairly confidential data like API keys from within your JS source.

Obfuscation at a glance

Obfuscation--altering code while preserving its behavior but concealing its structure and intent, according to dictionary definition--uses the concept of confusion to protect delicate pieces of JavaScript code from prying eyes.

How it works

JS obfuscation often makes use of the eval() feature of JS, which allows an arbitrary string to be evaluated using the JS evaluation engine. This allows the breakdown of actual source code into fragments of strings which, when combined in some way and fed to eval(), can achieve the same effect as the original code.

For example,

x=['a', 'l', 'e', 'r', 't', '(', '\"', 'H', 'e', 'l', 'l', 'o', '\"', ')'];
eval(x.join(''));
would result in the display of an alert message "Hello" in the browser.

With some more thinking, one can increase the level of confusion by using techniques like breaking up the array to further fragments, substituting characters with their ASCII codes and using function calls, loops and other control structures to break up the code fabrication algorithm.

No comments:

Post a Comment