JS/HTML Obfuscation - Security & Cryptography

Users browsing this thread: 3 Guest(s)
Hello fellow *nixer,
This thread is about obfuscating the content of a webpage.
This might not be so useful, security wise, because all the sensitive information should be kept server side.
However, for the ones trying to reverse engineer the page this is a huge obstacle.
####JS Obfuscation
I found two nifty tools on the internet that are heavily used to obfuscate js.
[jsobfuscator](http://javascriptobfuscator.com/) by CuteSoft.net
and the extremely popular [packer](http://dean.edwards.name/packer/) by Dean Edwards.
I've stumbled upon the last one while reverse engineering a website where I had to do some vote automation.
The **packer** is characterized by its signature :
The packer is also ported to multiple other languages.

####Deobfuscating JS
A little story on the side now. After finding the packer in the html of the website I was working on, I started to search around the internet how to decrypt it. Some people said to use the **decode** button on the packer site and to unlock it by changing the attributes in the page source but this wasn't a smart solution.
Then, I found an amazing website. The [js beautifier](http://jsbeautifier.org/).
This website de-obfuscate js and makes it look good by rearranging the syntax.
Now, the question is _Can it de-obfuscate consecutive encryptions?_. It's known that doing consecutive hash is a bad security habit because it augments the risk of collision, but, here we are talking about obfuscating the readability of the code and not about a one-to-one correspondence (hash).
The results show that after doing the obfuscation three times the jsbeautifier page cannot de-obfuscate it.
The jsbeautifier is also ported to multiple other languages.

####Obfuscating html
This one is just plain stupid but for the sake of it I'll just leave some words about it.
You can obfuscate a page by encrypting it with a password and let js decrypt it with the password key at login.
That's a huge hassle for something of that importance and it makes the website unmaintainable.
If you want to try that out here is a page that let you do that: [protect page with password](http://www.zubrag.com/tools/html-passwor...ncoder.php)
Another method is to just blurt out the page from js. Here's some example websites:
This also makes the page extremely hard to maintain.
On the other hand, it prevents bots from spidering your websites and it also prevents login automation via scripts (considering you also post a salt key or another dynamic element in the page at login). It also makes sure that the user have js enabled.
So if you can turn that into an easy to maintain process you will have a pretty obscured website and might never appear in search engines.

####Obfuscating Text
Obfuscating text isn't meant to hide it. It stops search engines that crawl your website and seek for keywords on it.
[This](http://www.textobfuscator.com/) amazing website let you do that.
However, this might make the people reading your website really angry.

Last note:
Encryption on the user side is stupid, never do that. The only time you might want to do that is to not send a password around the network in clear text, thus you hash it before posting it.
Obfuscation is another story. It's just to make the page content unreadable and unmaintainable.

Feel free to contribute to this thread.

EDIT: I've already posted this thread before the server move. Fortunately, I always save the threads I write.
Good that you save your threads :).
- - -
My favourite kind of JS obfuscation method is to use non-alphanumeric JS. However it does change the actual operation, rather than simply being a source only obfuscation technique.

Heres an example I wrote ages ago. Note that I couldn't get the 'h' or 'w', I couldn't think of what I could reference to get the 'w', and didn't know how I could go about referencing the math object to get the 'h'.

It's basically the equivalent (as far as what it achieves, not how it functions) to:
javascript:alert("hello world");
- - -
EDIT: I thought I'd add to my post, so I decided to try find some other obfuscated JS code I've written in the past to post that includes other things. Yet I couldn't find it. I think I must have deleted it or it's on some hard drive I hadn't checked yet (but the ones I had left to check I don't normally store this kind of stuff on them).

Anyway, I decided to make a new reference if it's of any interest. [JS-Non-AlphaNumeric-Reference](https://github.com/ScrimpyCat/JS-Non-Alp...-Reference) If you want a full char set (and you will if you want to do more complicated things) you'll probably need to use the DOM to reference the other characters (or at least the 'h', then you can use fromCharCode). To do that you can make use of the function object.

Some other fun things to include in obfuscated JS code are things like "fake comments" (at least that's what I refer to them as, it's actually just messing about with the regex literals or similar).

Here's a few basic examples:
console.log("1234"[1,/2,/1,/3,//3,0]); //will print: 1
console.log("1234"[1,/2,0]/1,/3,//0,2]/*/3,0]\*/); //will print: 3
console.log("one"+/two//*//."four"/.*/+"three"); //will print: one/two/three

EDIT: Also here's the original example generated with that script. Much shorter :).

The not so pretty ruby code
puts JSSymbol.new("javascript:window[#{_a+_l+_e+_r+_t}]('h'+#{_e+_l+_l+_o+__space}+'w'+#{_o+_r+_l+_d});")

Though to make it a bit more fun, will just remove the window (since it's not going to be time consuming).

puts JSSymbol.new("javascript:#{_Function}(#{_r+_e+_t+_u+_r+_n+__space+_a+_l+_e+_r+_t})()('h'+#{_e+_l+_l+_o+__space}+'w'+#{_o+_r+_l+_d});")
Long time nixers
You guys make my pathetic attempt at obfuscation appear to have been done by two monkeys randomly pounding on keyboards for a fortnight.



I haven't really done much with the site beyond adding a couple of widgets, which are not obfuscated, and there are some dead links as well.

All in all, it's another of my failures.
(31-07-2013, 01:48 AM)zygotb Wrote: You guys make my pathetic attempt at obfuscation appear to have been done by two monkeys randomly pounding on keyboards for a fortnight.

Isn't that the idea? :P
I found a website about what bottomy was talking about: [here](http://www.jsfuck.com/)
(19-09-2013, 06:27 AM)venam Wrote: I found a website about what bottomy was talking about: [here](http://www.jsfuck.com/)

Yeh there's a number of converters out there. If you're interested the original discussions (and discussions on a lot of other JS obscurities) used to take place on [sla.ckers.org](http://sla.ckers.org). Though it's been rather dead (as far as JS is concerned) as of late.

Also interested to see their converter doesn't need DOM to introduce some of the key (because after you have them can easily get the rest) characters I couldn't get ('h'). Completely forgot about Number.toString() accepting a radix.

Also nice to see a smaller alternative for 10, they've added as strings 1 and 0, so converting that back to a Number is smaller than (1+1+1+1+1)*2 (the equivalent of that in non-alphanumeric).
Long time nixers
did you see they ported the brainfuck 'metalang' to js?


that's what i call serious obfuscation.
