[WEB SECURITY] JavaScript Obfuscators

Sophia Sun sophiasfq at gmail.com
Sat Jan 24 23:09:22 EST 2009


Thanks for pointing out the ambiguity, James.

I'm interested in examining how obfuscated a piece of JavaScript code can
be. Both commercial and open-source obfuscators for JavaScript only (static
JavaScript "compiler") are of interest to me. I would like to know what
kinds of obfuscation techniques are being used in an obfuscator, such as the
randomization of variable names and function names and code shuffling.

I agree with you that client-side code manipulation provides no real
security value. But think about obfuscation from a web administer's
standpoint, a highly obfuscated piece of JavaScript code could possibly
delay the detection of a payload. Take XSS worms for example, it seems to me
that most of them are obfuscated. It would be nice to know what obfuscation
techniques are commonly used in obfuscators and how powerful an obfuscator
can be in obfuscating JavaScript code.

--Sophia

On Sat, Jan 24, 2009 at 6:10 PM, James Landis <elspood at gmail.com> wrote:

> More parameters please. Commercial or open-source? Do you want the
> obfuscated output or the obfuscator itself? JavaScript only or
> JavaScript + HTML? Dynamic server-side runtime obfuscators or static
> JavaScript "compilers"?
>
> As I'm sure you know this, given the fact that you explicitly use the
> word "obfuscator", but manipulation of client-side code provides no
> real security value beyond prevention of casual theft and reuse of
> code.
>
> -j
>
> On Sat, Jan 24, 2009 at 4:53 PM, Sophia Sun <sophiasfq at gmail.com> wrote:
> > I'm collecting JavaScript obfuscators for research purpose. Could any of
> you
> > name a few widely used ones? So far, I've tried Jsob and some free
> > JavaScript obfuscators. Thanks.
> >
> > --Sophia
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090124/974088c4/attachment.html>


More information about the websecurity mailing list