Obfuscate JS Code - Introduction
What exactly is obfuscation? Obfuscation is one of the security techniques to guard against application hacking. As per Wikipedia, Obfuscation is an act of process for modifying source code. It is much harder to read and understand for a hacker, almost all the code can be reverse-engineered with enough skill, time, and effort. So to prevent it, programmers may obfuscate code to prevent tampering or deter reverse engineering. There are some techniques used to obfuscate more scripts.
- obfuscating the format of the code.
- Adding extra lines of the code into the main code.
- Substituting variable names in the code.
- Obfuscating the code itself.
What do you mean by obfuscating the format of the code? It means removing all the nice line breaks and indentation that makes our code readable. If you have this (see screenshot) type of code, then after obfuscating the formatting, you are left with this (see screenshot) type of large ugly piece of code.
The next is adding an extra line of code into the main code. In this case, we need to insert some extra code into our script that does nothing. This is just confusing to an analyst. If you have this type of code, then the final code would look like this. While one or two extra lines of code won’t do much but imagine what happens when you have hundreds of these lines within your code. It quickly becomes difficult in determining which code is valid and which is not doing anything.
The other one is substituting variable names. As a programmer, the first thing we learned was to give a meaningful variable name in the code. But this methodology does the exact opposite. It changes your meaningful variable name to some meaningless words. When you look at the example here, it’s easy to figure out what the variable on the left-hand side is doing and the meaning of it. Once a variable substitution is applied, it becomes much more difficult to figure out what the variable is used for.
The last one we are going to talk about is obfuscating the code. In this case, it is nothing but a process of modifying the source code so that it is much harder to read and understand. If you see this example, we have two lines of code. One is setting the product name with the value ‘gun’ and another one is setting its price to 50.
When the obfuscation is applied to them, it would look like this (see screenshot). If we look carefully, then you can see that from the first line, it splits out the first letter of the ‘gun’ and continues it to a blank character, which is really adding nothing to it. Then it appends (0x70+5) which is the value for the letter ‘u’. Then it continues to a character ‘n’. This whole line just creates the word gun, but in a way, that’s difficult to parse by an analyst. Both of these lines are an example of data obfuscation.