2

Most browsers allow users to view the source of a web-page quite easily and modern even provided detailed analysis. Often this code includes critical client side scripts in the form of JS/jQuery, which now days often contain methods and structures which can expose the internal architecture of the a web-service to a possible user with mala-fide intentions.

  • In such a situation, is it possible to protect your clients side scripts from user views?
  • Also, why haven't browser developers considered offering some security tools on this front?

Thanks!

AviD
  • 73,317
  • 24
  • 140
  • 221
check123
  • 534
  • 1
  • 5
  • 14

1 Answers1

6

Any protection that is implemented in user-level can be relatively easy defeated. Most often is used so called "obfuscation". It can be time consuming to deobfuscate such script if to do it by hand. However, there are several tools that automates this process, example - https://addons.mozilla.org/en-US/firefox/addon/javascript-deobfuscator/ Best solution is to implement protection in interpreter itself, at bytecode level, like Zend Guardian for PHP (even it is bypassable). I suppose, for JavaScript this cannot be done due to many JS engines implementations, parser engines differences, etc. Additionally, it would require loading modules that have to be distributed by protection vendor. This is hard and not transparent process.

I have seen interesting protection in malware, in that case JavaScript code was protected with RSA and used key from the server. But again, it is headache for developer to support such process. Probably for malware writers it was worth to protect their exploits against AV's, lurking users, researchers.

Additionally, you can read related topic here: https://stackoverflow.com/questions/964652/javascript-protection

Community
  • 1
  • 1
    @Check123 In addition, even if somehow all browser vendors decided to remove the 'show source' option, this would not impact the bad guys at all as they would grab the source directly. It would just impact normal users who wanted to know how the site works. – Rory Alsop Apr 19 '11 at 13:55
  • 1
    @Rory Alsop, yes, that is quite obviously - client has to retrieve source code to parse it. And just remembered bug with Opera (and older Chrome), when in case if at the beginning was NULL-byte, source code was not shown, however, was retrievable in many other ways. After all, we are not limited to communicate only with browsers :) –  Apr 19 '11 at 14:01
  • @Ams I agree with you mainly, except for, "Any protection that is implemented in user-level can be relatively easy defeated". Certainly a clever developer could come with such a complex obfuscation scheme that it would no longer be "relatively easy" to beat. But ultimately, yes, any kind of obfuscation can be reversed with enough time and patience. – Mark E. Haase Apr 21 '11 at 04:12