1

I've developed a system that polls a server and injects the response JavaScript into the clients web page. I want to obfuscate the JavaScript the server serves, but I also want to know if there is a tool that dynamically obfuscates it according to a token or key. Meaning every new session gets unique scripts that will only work with that client during that session.

If this doesn't already exist, could someone maybe provide me with a link on how to write my own JavaScript obfuscation tool.

Chris
  • 51
  • 1
  • 11
  • What's the point of obfuscating according to a key or token? That sounds more like encrpytion to me. – Alex Turpin Apr 02 '12 at 14:08
  • 1
    Once the JavaScript hits the browser, the client can (easily) decode it and see the JavaScript source. – gen_Eric Apr 02 '12 at 14:09
  • But if it's different for every request, it would be rather difficult trying to make sense of it. And yes, I suppose in a way it is a type of encryption. – Chris Apr 02 '12 at 14:11
  • 1
    It might use a different key for each request, but it'd need to be decoded at some point for the browser to run it. Also, the decryption code would be visible. – gen_Eric Apr 02 '12 at 14:17
  • Yeah, but if I dynamically rename variables and the sorts. If someone were to decode the JavaScript, they most likely wouldn't be able to make head nor tail of the code. And as long as it is different every time they start a new session. It's most likely they will not be able to find any patterns as to how the code runs either. – Chris Apr 02 '12 at 14:21
  • A good obfuscator will already give you random variable names every time you run something through it. Obfuscating JavaScript code is futile though. – Alex Turpin Apr 02 '12 at 16:01

2 Answers2

0

Heres a page that encrypt javascript acording to a key http://scriptasylum.com/tutorials/encode-decode.html

Something you can do, to hide your javascript, is to send it this way:

<?php

header("Refresh: 0;javascript:document.writeln('');");

?>
your js code here

I have not tried it,but I think It will create a empty page wen viewed by a browser.

Tei
  • 1,400
  • 8
  • 6
  • 1
    A sophisticated hacker would be able to see the Javascript as it is downloaded in any sort of network tracking tool, such as Fiddler, Firebug, Chrome Tools, Opera Dragonfly, Ethereal, etc. – Jordan Apr 02 '12 at 14:25
  • Seems interesting, thanks! I don't think the refresh header will stop a hacker from getting what they want. There are always network debugging tools. – Chris Apr 02 '12 at 14:26
  • Yea. But nothing will stop a hacker. Anyway obfuscation is not to stop hackers, but to stop lazy people. – Tei Apr 02 '12 at 15:27
0

Chris, I encourage you to look at this a different way.

First of all, your problem seems to be that you want to display something on your web page, but you want to disguise the methodology that it got there. The absolute best way to do this is to execute all of your code on the server.

This frees you up so that you don't have to obfuscate anything. Any Javascript that you execute would just be working on raw data anyway, and wouldn't be anything specialized that a hacker could do anything with.

A hacker could not see your business processes if all of the work was done on the server.

So, you can make an Ajax call out to the server, which executes the code, and returns HTML or JSON data that your app can then use to place on the webpage. The hacker has nothing to go on, and you don't have to build obfuscation into anything.

Jordan
  • 31,971
  • 6
  • 56
  • 67
  • 1
    Thanks for the answer. The problem is the system I´ve developed is for a 3D game engine that makes use of WebGL. I want to be able to to a lot of complex computation client side. I don´t want to give nerds an easy job at making bots for the game, nor do I want expensive 3D models being distributed over the net. If I can make the code as unique as possible, I can hopefully avoid such things. – Chris Apr 02 '12 at 14:31
  • 1
    Obviously you know that once Javascript is on a client machine, there's nothing you can do to prevent reverse engineering other than make it slightly annoying. You may be interested in this: http://stackoverflow.com/questions/232736/code-obfuscator-for-php – Jordan Apr 02 '12 at 14:40
  • 1
    So basically the height of security would be to stream the graphics to the client and let all the rendering be done server side. I guess where there's a will there's a way. Thanks for the info. – Chris Apr 02 '12 at 14:53