JavaScript obfuscation

JavaScript and client side scripting.

Moderator: General Moderators

Post Reply
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

JavaScript obfuscation

Post by m3mn0n »

I've googled around and I've found a few programs that claim to do this, but I'm really just wondering what someone with some experience using this sort of program would recommend for someone who wants to do this sort of thing.
foobar
Forum Regular
Posts: 613
Joined: Wed Sep 28, 2005 10:08 am

Post by foobar »

How about just not doing it? Anbody with a fair amount of knowledge on the matter can get to your code anyway. There's no good way to hide your JS code, honestly. Sorry to burst your bubble, but that's the truth.

If you have sensitive application code in your JS, move it to the server and use AJAX to communicate with it.
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

foobar wrote:How about just not doing it? Anbody with a fair amount of knowledge on the matter can get to your code anyway.
Can you elaborate a bit more on that?
foobar
Forum Regular
Posts: 613
Joined: Wed Sep 28, 2005 10:08 am

Post by foobar »

Sami wrote:Can you elaborate a bit more on that?
Sure. JS obfuscation relies on one of two methods:

1. Encryption of your JS code.
2. Stripping unnecessary whitespaces, changing variable and function names to something completely unintelligible, etc.

However, both have major flaws, of varying nature.

1. Encrypting your JS code poses the following problems:
  • It has to be decrypted to be executed, meaning a JS script has to do it. This will make your website load horribly slow. *)
  • Related to the above; a cunning user can use a modified version of the decryption function to output the original code to the browser.
*) Try decrypting an encrypted string in PHP. That already takes a relatively long time, and PHP is much faster than JS most of the time (depends on server & client, respectively).

2. Obscured code:
  • Although it will be fast (even a little faster due to smaller file size), the user is presented with a working copy of your code.
  • A cuning user can create a de-obfuscator for your code, which will do some basic formatting (adding newlines after semi-colons, etc.) as well as renaming variables and functions from things like zT_ppHj to variable001.
  • After doing the step outlined above, the user can proceed to inspect the logic within your script to recreate reasonable naming of variables and functions.
In both cases, you end up with the original code, at least semantically. Now, this does protect you against script-kiddies and other pseudo-hackers, but anybody with a good grasp of these techniques can retrieve your code anyway. Not to mention the speed impediment when using encryption.
Post Reply