Icon View Thread

The following is the text of the current message along with any replies.
Messages 1 to 10 of 25 total
Thread Obfuscate JS output
Tue, Jul 11 2017 7:19 PMPermanent Link

Big Al

Has anyone looked into any way to obfuscate the JS output?

I am using a web service to access my data, and it works fine, and I can hide the url a little bit in my EWB code but really someone could very possibly take the javascript and possibly figure out how I'm accessing the url of the webservice. I suspect OAuth would work, but I am not able yet to understand how I could make OAuth work in my ewb app properly.

I was wondering if any of the obfuscating tools out on the internet work to make it much harder for anyone to understand what the js file is actually doing?


Big Al
Tue, Jul 11 2017 7:45 PMPermanent Link

Big Al

I tried https://javascriptobfuscator.com/Javascript-Obfuscator.aspx, just the online version.

My compressed js file is only 499k and they supposedly support up to 2mb file for free, but the obfuscated file didn't work. Not sure if it's an issue with the obfuscation or something else.

It's an interesting thought if it were to work. It did take the js file from 499k to 1541k, so 3x but if it worked, for the security it might be worth it.

Big Al
Tue, Jul 11 2017 7:58 PMPermanent Link

Big Al

>>Big Al wrote:

>>My compressed js file is only 499k and they supposedly support up to 2mb file for free, but the obfuscated file >>didn't work. Not sure if it's an issue with the obfuscation or something else.

I wonder if the issue is related to how the html and js file work together?? I have no clue, just speculating but it would be so cool if the JS code could be obfuscated.

Big Al
Tue, Jul 11 2017 8:07 PMPermanent Link

Raul

Team Elevate Team Elevate

On 7/11/2017 7:19 PM, Big Al wrote:
> Has anyone looked into any way to obfuscate the JS output?
>
> I am using a web service to access my data, and it works fine, and I can hide the url a little bit in my EWB code but really someone could very possibly take the javascript and possibly figure out how I'm accessing the url of the webservice. I suspect OAuth would work, but I am not able yet to understand how I could make OAuth work in my ewb app properly.
>
> I was wondering if any of the obfuscating tools out on the internet work to make it much harder for anyone to understand what the js file is actually doing?

EWB has the "compress output" built in so you can do that and it helps
(and reduces file size as a side benefit).

With Javascript/EWB you should make it secure even if somebody knows
what you're doing - your URLs, etc.  Authenticate user and operations,
don't store any special password or such in EWB app etc. And you should
use TLS.

Who exactly are you trying to obfuscate it from ?

For actual user of your app there is no real value in obfuscating if
they are determined - it's very easy to drop into browser developer
tools and monitor all network comm, set breakpoints, step thru code, etc

You can do some basic obfuscation (like xor your URLs and
command/parameters etc but again it's realtively easy to reverse
engineer so at best it protects against somebody who knows nothing about
javascript)

2. for somebody snooping for network traffic your should be using TLS.

Raul
Tue, Jul 11 2017 8:08 PMPermanent Link

Raul

Team Elevate Team Elevate

On 7/11/2017 7:45 PM, Big Al wrote:
> I tried https://javascriptobfuscator.com/Javascript-Obfuscator.aspx, just the online version.
>
> My compressed js file is only 499k and they supposedly support up to 2mb file for free, but the obfuscated file didn't work. Not sure if it's an issue with the obfuscation or something else.
>
> It's an interesting thought if it were to work. It did take the js file from 499k to 1541k, so 3x but if it worked, for the security it might be worth it.

Similar capability is built into EWB - select the "compress output"
option (or click the "compress" icon in project manager)

Raul
Tue, Jul 11 2017 8:08 PMPermanent Link

Big Al

This one appeared to work, took my 499kb js file and compressed it along with obfuscation to 417kb.

I am not sure how obfuscated it really is as some strings were still inside the js file but it did work.

Maybe there will be others out there that also work but obfuscate even better.

http://www.danstools.com/javascript-obfuscate/

This one is free.

Big Al
Tue, Jul 11 2017 8:22 PMPermanent Link

Big Al

Raul,
I will be running via SSL at some point, so not too concerned about snooping. Or at least I believe that SSL should fix that.

I do connect to a webservice that needs some form of authentication and it does have it, however if a person looks at my js code, which I believe is pretty easy to get to because it runs on the clients browser, then they would be able to see the url since it's in the js file. I am pretty sure strings like urls are still in the js code in plain text even when compression is turned on. If I'm wrong, then let me know.

I can obfuscate the url inside my code to some extent, except I'd still be concerned that someone could review the code and figure out how I was doing my manual obfuscation.

It appears as though these tools would make it much harder to see the js code that's running in the browser, but I'm by no means an expert at this, just a developer that doesn't want anyone breaking into my web service by looking at my ewb js code.

Feel free to tell me I'm being dumb.. You won't be the first.. lol

Here's another one that seemed to work well. Strings are gone, etc. It did increase js size from 499kb to 1336kb.
https://javascriptobfuscator.herokuapp.com/


Big Al
Tue, Jul 11 2017 8:47 PMPermanent Link

Raul

Team Elevate Team Elevate

On 7/11/2017 8:22 PM, Big Al wrote:
> It appears as though these tools would make it much harder to see the js code that's running in the browser, but I'm by no means an expert at this, just a developer that doesn't want anyone breaking into my web service by looking at my ewb js code.

Yes they make it harder to see the code but you're assuming i want to
look at the code.

Instead i would simply look at the connections the app makes to the web
service (the URL, parameters and responses).

Try this out

1. start Chrome

2. press F12

3. select the "Network" section in the dev tools panel on bottom of screen

4. paste in URL for your web app and hit Enter (you can server it from
EWB IDE still - just run in Chrome)

5. check out the web requests generated in dev tools panel - you can
click on every single one, look at headers, preview and response

I will highly doubt your obfuscation had much impact on what i see here

That's not to say you should not obfuscate - and this is built into EWB
natively - but simply that it provides very limited protection.

Raul
Wed, Jul 12 2017 5:30 AMPermanent Link

Big Al

Raul wrote:


>>Instead i would simply look at the connections the app makes to the web
>>service (the URL, parameters and responses).

Raul,
You're right, so I'm going to have to find a better way to keep my web service secure.
I looked at OAuth a bit, but don't understand enough of it to be able to figure out how to make it work with my web service and ewb.

Thanks again,
Big Al
Wed, Jul 12 2017 7:25 AMPermanent Link

Big Al

>>Big Al wrote:

>>You're right, so I'm going to have to find a better way to keep my web service secure.

Is there any way for EWB to encrypt a string?

Big Al
Page 1 of 3Next Page »
Jump to Page:  1 2 3
Image