[WEB SECURITY] JavaScript Obfuscators

Hoffman, Billy billy.hoffman at hp.com
Sun Jan 25 02:04:30 EST 2009

The websense  guys and finjin guys are top notch in this field. A read of their research blogs is a wealth of data.

As for who obfuscating, pretty much everybody is. IBM released a report in last year that nearly 100% of malware payloads using javascript are obfuscated (http://www-935.ibm.com/services/us/iss/xforce/midyearreport/xforce-midyear-report-2008.pdf)

Billy Hoffman
Manager, HP Web Security Research Group
HP Software - Application Security Center
Direct:  770-343-7069

From: Sophia Sun [mailto:sophiasfq at gmail.com]
Sent: Saturday, January 24, 2009 11:09 PM
To: James Landis
Cc: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] JavaScript Obfuscators

Thanks for pointing out the ambiguity, James.

I'm interested in examining how obfuscated a piece of JavaScript code can be. Both commercial and open-source obfuscators for JavaScript only (static JavaScript "compiler") are of interest to me. I would like to know what kinds of obfuscation techniques are being used in an obfuscator, such as the randomization of variable names and function names and code shuffling.

I agree with you that client-side code manipulation provides no real security value. But think about obfuscation from a web administer's standpoint, a highly obfuscated piece of JavaScript code could possibly delay the detection of a payload. Take XSS worms for example, it seems to me that most of them are obfuscated. It would be nice to know what obfuscation techniques are commonly used in obfuscators and how powerful an obfuscator can be in obfuscating JavaScript code.

On Sat, Jan 24, 2009 at 6:10 PM, James Landis <elspood at gmail.com<mailto:elspood at gmail.com>> wrote:
More parameters please. Commercial or open-source? Do you want the
obfuscated output or the obfuscator itself? JavaScript only or
JavaScript + HTML? Dynamic server-side runtime obfuscators or static
JavaScript "compilers"?

As I'm sure you know this, given the fact that you explicitly use the
word "obfuscator", but manipulation of client-side code provides no
real security value beyond prevention of casual theft and reuse of


On Sat, Jan 24, 2009 at 4:53 PM, Sophia Sun <sophiasfq at gmail.com<mailto:sophiasfq at gmail.com>> wrote:
> I'm collecting JavaScript obfuscators for research purpose. Could any of you
> name a few widely used ones? So far, I've tried Jsob and some free
> JavaScript obfuscators. Thanks.
> --Sophia

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090125/80ba6e23/attachment.html>

More information about the websecurity mailing list