SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Member Lance(HAOH)'s Avatar
    Join Date
    Mar 2009
    Posts
    17
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Obfuscated Javascript and PHP code

    Hi. I am doing some research on JS and PHP code obfuscation. It seems that there are many methods to do this: base64, gz_inflate, etc. Custom algorithms could even be used for obfuscation purposes. I am simply overwhelmed by the number of obfuscation techniques.

    I have two questions which I am unsure of:

    1. How do we detect obfuscated code since there are so many algorithms that could be used?
    2. How do we run obfuscated code? Do we need to de-obfuscate it first?

    I apologise if my questions are amateur. I am just a beginner in Computer Security.
    Repay one's country with utmost loyalty

  2. #2
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    First and foremost. DO NOT USE code obfuscation. It is just worthless.

    1) You can detected obfuscated code easily, its looks like a mass of random letters and number and other things. Detecting what obfuscating algorithm requires reversing the de-obfuscated function.

    2) Depends on how it was obfuscated, is some cases yes in others no.

    In either case. Do not bother.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  3. #3
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,576
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Security-wise it is no help -- it is a poor attempt at Security by Obscurity which is very little security when it comes down to it.

  4. #4
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    16,454
    Mentioned
    160 Post(s)
    Tagged
    1 Thread(s)
    I agree with not obfuscating code.

    This is not to say you shouldn't consider minification, which has some similarities in that it is difficult for people to read.
    eg.
    a(r);
    vs.
    check_syntax(name_input);

    jQuery is a good example of how much file weight can be saved by minification. But I sure wouldn't want to work with the minified version.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •