Best IT Recipes

How can I hide or encrypt JavaScript code?

Is there a way to hide or encrypt JavaScript code so that people do not view, copy and / or modify proprietary programs?

+52
javascript encryption obfuscation
Jun 19 '09 at 10:50
source share
8 answers

You can confuse this, but there is no way to completely protect it.

obfuscator example: https://obfuscator.io

+70
Jun 19 '09 at 22:52
source share

No, It is Immpossible. If it is running in the client browser, it must be loaded by the client browser. It is pretty trivial to use Fiddler to check the HTTP session and get any downloaded js files.

There are tricks you can use. One of the most obvious is the use of javascript obfuscator.

Again, obfuscation only prevents accidental tracking and does not prevent people from picking and using your code.

You can try the compiled script action as a flash movie.

+6
Jun 19 '09 at 22:53
source share

While everyone agrees that Javascript encryption is a bad idea , there are a few small cases where slowing down an attack is better than nothing. You can start with the YUI Compressor (like @Ben Alpert), or JSMin, Uglify or many more.

However, the main case when I want to "hide things" is when I publish an email address. Please note that there is a problem with Chrome when you click on β€œcheck item”. It will show your source code: every time. This is why obfuscation is usually seen as the best way to go.

In this article, I take a two-string attack to just slow down the spam bots. I Obfuscate / reduce js and then run it again through the encoder (again, this second step is completely pointless in chrome).

Although not a completely clean Javascript encoder, the best html encoder I found is http://hivelogic.com/enkoder/ . This will do the following:

<script type="text/javascript"> //<![CDATA[ <!-- var c=function(e) { var m="mail" + "to:webmaster";var a="somedomain"; e.href = m+"@"+a+".com"; }; //--> //]]> </script> <a href="#" onclick="return c(this);"><img src="images/email.png" /></a>

in it:

 <script type="text/javascript"> //<![CDATA[ <!-- var x="function f(x){var i,o=\"\",ol=x.length,l=ol;while(x.charCodeAt(l/13)!" + "=50){try{x+=x;l+=l;}catch(e){}}for(i=l-1;i>=0;i--){o+=x.charAt(i);}return o" + ".substr(0,ol);}f(\")87,\\\"meozp?410\\\\=220\\\\s-dvwggd130\\\\#-2o,V_PY420" + "\\\\I\\\\\\\\_V[\\\\\\\\620\\\\o710\\\\RB\\\\\\\\610\\\\JAB620\\\\720\\\\n\\"+ "\\{530\\\\410\\\\WJJU010\\\\|>snnn|j5J(771\\\\p{}saa-.W)+T:``vk\\\"\\\\`<02" + "0\\\\!610\\\\'Dr\\\\010\\\\630\\\\400\\\\620\\\\700\\\\\\\\\\\\N730\\\\,530" + "\\\\2S16EF600\\\\;420\\\\9ZNONO1200\\\\/000\\\\`'7400\\\\%n\\\\!010\\\\hpr\\"+ "\\= -cn720\\\\a(ce230\\\\500\\\\f730\\\\i,`200\\\\630\\\\[YIR720\\\\]720\\\\"+ "r\\\\720\\\\h][P]@JHADY310\\\\t230\\\\G500\\\\VBT230\\\\200\\\\Clxhh{tzra/{" + "g0M0$./Pgche%Z8i#p`v^600\\\\\\\\\\\\R730\\\\Q620\\\\030\\\\730\\\\100\\\\72" + "0\\\\530\\\\700\\\\720\\\\M410\\\\N730\\\\r\\\\530\\\\400\\\\4420\\\\8OM771" + "\\\\`4400\\\\$010\\\\t\\\\120\\\\230\\\\r\\\\610\\\\310\\\\530\\\\e~o120\\\\"+ "RfJjn\\\\020\\\\lZ\\\\\\\\CZEWCV771\\\\v5lnqf2R1ox771\\\\p\\\"\\\\tr\\\\220" + "\\\\310\\\\420\\\\600\\\\OSG300\\\\700\\\\410\\\\320\\\\410\\\\120\\\\620\\" + "\\q)5<: 0>+\\\"(f};o nruter};))++y(^)i(tAedoCrahc.x(edoCrahCmorf.gnirtS=+o;" + "721=%y;++y)87<i(fi{)++i;l<i;0=i(rof;htgnel.x=l,\\\"\\\"=o,i rav{)y,x(f noit" + "cnuf\")" ; while(x=eval(x)); //--> //]]> </script>

Perhaps this is enough to slow down a few spam bots. I had no spam using this (! Yet).

+6
Dec 03
source share

One of the best compressors (not specifically obfuscator) is the YUI Compressor .

+5
Jun 19 '09 at 22:54
source share

JavaScript is a scripting language and therefore remains in human readable form until it is time to interpret and execute it using the JavaScript runtime.

The only way to partially hide this, at least from less technical minds, is to confuse.

Obfuscation makes reading difficult for people, but not impossible for the tech savvy.

+3
Jun 19 '09 at 23:29
source share

If you have something specific, you want to hide (for example, your own algorithm), put it on the server or put it in a Flash movie and call it using JavaScript. Writing ActionScript is very similar to writing JavaScript, and you can communicate between JavaScript and ActionScript. You can do the same with Silverlight, but Silverlight does not have Flash scrolling.

However, remember that any mobile phones can run your JavaScript, but not Silverlight or Flash, so that you damage your mobile users if you go with Flash or Silverlight.

+3
Jun 19 '09 at 23:34
source share

The only safe way to protect your code is to not give it away. When deploying a client, you can’t do without client access to the code.

So the short answer is: you cannot do this.

The longer answer is flash or Silverlight. Although I believe that silverlight gladly gives away secrets with a reflector that runs on the client.

I'm not sure if there is something simulative with a flash platform.

+2
Jun 19 '09 at 22:57
source share

I know this is an old thread, but I would just like to add one method to hide your scripts, at least in order to make it a little more difficult to view. The key is to use AJAX and fully synchronize it with your server-side scripts like Php. Thus, the whole algorithm is not fully disclosed and will be completely meaningless for anyone who wants to steal your codes. Of course, this is not a 100% reliable solution, since your client scripts will and can be exposed if you press F12 on chrome, for example. In addition, if your java scripts depend on a large number of server processes, in reality you will not need to worry at all.

In this script, the true content - your actual client-side scripts - is retrieved only through the get method (ps: you can still see the content by following the URL - use the post method to avoid this):

 <?Php //THE FOLLOWING VARIABLE IS ADDED TO ENABLE TOGGLING OF THIS FUNCTIONALITY: $obscureScripts = TRUE; //IF OBSCURE SCRIPT FUNCTIONALITY IS ALLOWED, //THE SYSTEM SHOULD ONLY ALLOW REQUESTS TRIGGERED BY SPECIFIED GET METHOD //OTHER THAN THAT, OR UNLESS $_GET['fetch'] == 'content', PERFORM THE FOLLOWING SCRIPTS: if ($obscureScripts && !(isset($_GET['fetch']) && $_GET['fetch'] == 'content')) { //OPEN A SESSION session_start(); //CREATE AN INDICATOR THAT THIS METHOD HAS BEEN USED $_SESSION['obscr'] = 'set'; //CLOSE SESSION WRITER session_write_close(); //ECHO THE FAKE CONTENTS OF YOUR PAGE echo "<script type='text/javascript' src='plugins/jquery-1.9.0.min.js'></script> \n". "<script> \n". "$.get \n". "( '?fetch=content', \n". " function(data) \n". " { $('body').fadeOut \n". " ( function() \n". " { $(this).empty().html(data).fadeIn(100); \n". " } \n". " ); \n". " } \n". "); \n". "</script> \n". "<html><head><title>Page Front</title><link rel='icon' href='icon.ico'/></head> \n". "<body bgcolor='#121212'><center>Loading...</center></body></html> \n"; //THE FAKE CONTENTS WOULD IN TURN RUN A JQUERY SCRIPT TO RETRIEVE THE ACTUAL PAGE CONTENT //DO NOT RUN THE REST OF THE SCRIPT/PAGE exit(); } //IF OBSCURE SCRIPT FUNCTIONALITY IS ON, AND IF A FETCH REQUEST WAS MADE, //PERFORM THE FOLLOWING VALIDATION else if ($obscureScripts && isset($_GET['fetch']) && $_GET['fetch'] == 'content') { //ATTEMPT TO RETRIEVE EXISTING SESSION session_start(); //CHECK IF A SESSION WAS SET: THIS IS TO INDICATE THE LOADING OF FAKE CONTENTS AND THAT //THE REAL CONTENTS ARE ONLY LOADED ONCE - BY THE JQUERY SCRIPTS PREVIOUSLY LOADED if (isset($_SESSION['obscr']) && $_SESSION['obscr'] == 'set') { //ONCE CONFIRMED, UNSET THE SESSION TO PREVENT ANOTHER REQUEST unset($_SESSION['obscr']); //IF THE SESSION BECAME EMPTY AFTER UNSETTING THE 'obscr' SESSION VARIABLE, //DELETE THE SESSION if (empty($_SESSION)) { session_unset(); session_destroy(); } //CLOSE THE SESSION WRITER AND PROCEED TO THE REST OF THE CONTENTS session_write_close(); //NOTICE THAT THERE NOT exit() OR die() REQUEST HERE. //THIS MEANS THAT THE SCRIPT WOULD PROCEED TO THE CONTENTS } //IF NO SESSION IS SET, THIS MEANS THAT THE GET METHOD IS PROBABLY BEING REQUESTED //FOR THE SECOND TIME; PROBABLY NOT BY THE PRE-LOADED SCRIPTS //IF SO, PERFORM THE FOLLOWING: else { //CLOSE THE SESSION WRITER session_write_close(); //RELOAD THE PAGE BY REDIRECTING TO SELF header('Location: '.$_SERVER['PHP_SELF']); //PREVENT SHOWING ANYTHING AFTER THIS CODE exit(); } } ?> <html> <head><title>The content you want to hide</title></head> <body>Your precious content.</body> </html>

Again, this is not a stupid method. Anyone can completely overtake a preloaded script while it runs the get method in front of it. I used PHP sessions to restrict access; which can be improved.

Honestly, this is just an extra process load. But that doesn't stop anyone from trying, right?

PS: Forgive me if my codes and use of terminology is a bit rudimentary. I was only doing Php for a year at the time of writing.

Publication Method:

  <?Php //THE FOLLOWING VARIABLE IS ADDED TO ENABLE TOGGLING OF THIS FUNCTIONALITY: $obscureScripts = TRUE; //IF OBSCURE SCRIPT FUNCTIONALITY IS ALLOWED, //THE SYSTEM SHOULD ONLY ALLOW REQUESTS TRIGGERED BY SPECIFIED GET METHOD //OTHER THAN THAT, OR UNLESS $_GET['fetch'] == 'content', PERFORM THE FOLLOWING SCRIPTS: if ($obscureScripts && !(isset($_POST['fetch']) && $_POST['fetch'] == 'content')) { //OPEN A SESSION session_start(); //CREATE AN INDICATOR THAT THIS METHOD HAS BEEN USED $_SESSION['obscr'] = 'set'; //CLOSE SESSION WRITER session_write_close(); //ECHO THE FAKE CONTENTS OF YOUR PAGE echo // USING HEREDOC THIS TIME <<<SCRIPT <script type='text/javascript' src='plugins/jquery-1.9.0.min.js'></script> <script> \$.post ( "{$_SERVER['PHP_SELF']}", { fetch:"content" } ).done ( function(data) { \$("body").empty().html(data); } ); </script> <html> <head> <title>Page Front</title> </head> <body> <center>Loading...</center> </body> </html> SCRIPT; //THE FAKE CONTENTS WOULD IN TURN RUN A JQUERY SCRIPT TO RETRIEVE THE ACTUAL PAGE CONTENT //DO NOT RUN THE REST OF THE SCRIPT/PAGE exit(); } //IF OBSCURE SCRIPT FUNCTIONALITY IS ON, AND IF A FETCH REQUEST WAS MADE, //PERFORM THE FOLLOWING VALIDATION else if ($obscureScripts && isset($_POST['fetch']) && $_POST['fetch'] == 'content') { //ATTEMPT TO RETRIEVE EXISTING SESSION session_start(); //CHECK IF A SESSION WAS SET: THIS IS TO INDICATE THE LOADING OF FAKE CONTENTS AND THAT //THE REAL CONTENTS ARE ONLY LOADED ONCE - BY THE JQUERY SCRIPTS PREVIOUSLY LOADED if (isset($_SESSION['obscr']) && $_SESSION['obscr'] == 'set') { //ONCE CONFIRMED, UNSET THE SESSION TO PREVENT ANOTHER REQUEST unset($_SESSION['obscr']); //IF THE SESSION BECAME EMPTY AFTER UNSETTING THE 'obscr' SESSION VARIABLE, //DELETE THE SESSION if (empty($_SESSION)) { session_unset(); session_destroy(); } //CLOSE THE SESSION WRITER AND PROCEED TO THE REST OF THE CONTENTS session_write_close(); //NOTICE THAT THERE NOT exit() OR die() REQUEST HERE. //THIS MEANS THAT THE SCRIPT WOULD PROCEED TO THE CONTENTS } //IF NO SESSION IS SET, THIS MEANS THAT THE GET METHOD IS PROBABLY BEING REQUESTED //FOR THE SECOND TIME; PROBABLY NOT BY THE PRE-LOADED SCRIPTS //IF SO, PERFORM THE FOLLOWING: else { //CLOSE THE SESSION WRITER session_write_close(); //RELOAD THE PAGE BY REDIRECTING TO SELF header('Location: '.$_SERVER['PHP_SELF']); //PREVENT SHOWING ANYTHING AFTER THIS CODE exit(); } } ?> <html> <head><title>The content you want to hide</title></head> <body>Your precious content.</body> </html>
0
Apr 24 '15 at 17:10
source share


More articles:


All Articles