0

Basically, what I'd like to do is have a JavaScript function that checks whether you've entered a specific string -- but I don't want that string to be actually visible in the source code. In my mind, it would go something like this:

function checkPass(input) {
    if (encrypt(input) === 'OJqqyaQUD4APlZvAg3fvCii8Os9qBr23tlzWwjbw') {
        alert('Success');
    } else {
        alert('Fail');
    }

}

function encrypt(input) {
    //pass it through some encryption algorithm
}

How might I accomplish this –– ideally, without any external libraries?

Cliff
  • 697
  • 8
  • 19
  • Do you have any **encryption algorithm** on your mind ? –  Feb 02 '16 at 22:14
  • 1
    I wouldn't use clientside code for that. What are you trying to do? – putvande Feb 02 '16 at 22:14
  • What @putvande meant to say is, even if you implement an _encryption algorithm_ it will still be visible by simply looking up the source code. So no use of encryption. –  Feb 02 '16 at 22:15
  • @putvande I have no choice in this case, unfortunately. But it's not protecting anything especially important; this is purely just another obstacle that people might have to get through in order to make the obfuscated code even harder to use if they steal it. – Cliff Feb 02 '16 at 22:15
  • @noob I disagree. The source code for most common encryption algorithms is actually widely available; the point is to make the algorithm an operation that's impossible to reverse engineer through any means beyond trial and error. – Cliff Feb 02 '16 at 22:18
  • 1
    @Cliff: If one implements his own algorithm in a Javascript function it will be visible in source code. –  Feb 02 '16 at 22:19
  • You can still encrypt it, but it is not secure. Anyone can open up the console, edit the JS code in place, and remove the check. – epascarello Feb 02 '16 at 22:24
  • @noob Yep. Again, I'm basically trying to create a "stepping stone" as opposed to anything actually secure. – Cliff Feb 02 '16 at 22:27
  • Checking the password on the client offers literally no protection... What's to stop them from simply calling the function that is called on success??? Just rot13 if you want to obfuscate the check. Anyone looking at your code will likely just skip the check instead of figuring out the password anyways =_=. – Goblinlord Feb 02 '16 at 22:58
  • @Goblinlord This is a special situation where they can't actually acess the javascript directly. But, again, I'm basically trying to create a "stepping stone" as opposed to anything actually secure. – Cliff Feb 02 '16 at 22:59
  • Can't access the js directly? So you can't curl the js? The network log in dev tools doesn't work? Barring those a simple packet sniffer can't snatch all the packets? If it's not accessible the browser wouldn't be able to run it. Anyways, like I said just rot13 or use a simple substitution algorithm. You won't get much more secure from anything more. – Goblinlord Feb 02 '16 at 23:04
  • You actually want a hashing function and not an encryption algorithm. Considering you don't really want something secure (which really makes me want to question the motive here)... You could take a look at the following http://stackoverflow.com/q/7616461/1090576 – Goblinlord Feb 02 '16 at 23:22

1 Answers1

2

Because the javascript can be seen in the source, there is not much you can do.

Minify - in order to make it harder to read and obfuscation

Another good thing is to use http://javascript2img.com/ to make it very hard to read.

JTC
  • 3,344
  • 3
  • 28
  • 46
  • I guess I'd hoped javascript might have 64-bit RSA encryption built in. – Cliff Feb 02 '16 at 22:17
  • Client side javascript cant be used for this kind of stuff unfortunately – JTC Feb 02 '16 at 22:18
  • The problem with all these common obfuscators is that they provide a decoding tool for their algorithm...which basically subverts the point of the obfuscation. – Cliff Feb 02 '16 at 22:20
  • I've changed the link of obfuscator to the best i could found, claims the hardest to read. – JTC Feb 02 '16 at 22:23
  • @noob An as they write in their page: JsBeautifier can't deobfuscate our code! – JTC Feb 02 '16 at 22:24
  • but anyone with enough time can undo it since the browser needs to be able to run it. – epascarello Feb 02 '16 at 22:26
  • 1
    Well im not saying to use instead of serves side validation, just trying to provide good answer. I think OP knows he should not use this on anything critical on his app. – JTC Feb 02 '16 at 22:27