Hide Java Script

[David Young]

So, I guess that means you're not going to share with me how my solution can
be circumvented? Again, outside packet sniffing and decompiling (both of
which can be addressed).

 

[Kevin Spencer]

Google it. It's old news.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.

 

[David Young]

Really?

I'm guessing one of the two apply here:
a) You didn't take time to review and try the solution that I posted,
because you are a pompus, self-righteous, arrogant
cotton-headed-ninny-muggin who scoff's at anyone who dares to question you.
Or;

b) You have looked at my solution, applied it, and discoved that it does
indeed work, but are too arrogant and hard-headed to admit you were wrong.

In light of all that. If you can show me where I'm wrong, I'll gladly admit
my error and apologise for the ranting. Otherwise...I'm done here.

 

[Scott Allen]

Hi David:

At best though, this is security through obfuscation. Someone
determined to see the underlying javascript will get to it.

System.Net.WebClient client = new WebClient();
client.Header.Add("Referer", "http://AUrlToSpoofOnYourSite.com");
byte[] buffer = client.DownloadData ("http://TheUrl/JSScript.aspx");
Console.WriteLine(Encoding.ASCII.GetString(buffer));

--
Scott
http://www.OdeToCode.com/blogs/scott/

Ok, here's your solution:

Create an aspx page. Call it "JSSource.aspx"
Open the HTML view and delete everything except the contents of the <@ Page>
directive.
Open the Code Behind for this page.
Add two using statements:
using System.Text;
using System.IO;
Add the following to the Page_Load handler:
private void Page_Load(object sender, System.EventArgs e)
{
// Put user code to initialize the page here
string script;
StringBuilder b = new StringBuilder();
b.Append("function doOnLoad(){");
b.Append("alert('hello there');}");

if(Request.UrlReferrer==null||Request.UrlReferrer.Host!="localhost")
script = "var youbite = 'eat me';";
else
script = b.ToString();

ASCIIEncoding encoder = new ASCIIEncoding();
byte[] buffer = encoder.GetBytes(script);
Response.ContentType = "text/javascript";
Response.OutputStream.Write(buffer,0,buffer.Length);
}

Then create a new aspx page. Call it JSClient.aspx
Open the HTML View and add the following betweent the </HEAD> and <BODY>
tags.
<script Language="javascript" type="text/css" src="JSSource.aspx"></script>
in the Body tag, add the following onLoad="doOnLoad();"

Then create a third page. Call it "Launch.aspx" add a hyperlink control, or
a simple <A href> tag. the NavigateUrl = "JSClient.aspx"

Build and launch the "Launch.aspx" page. When you click on the link, it'll
load the JSClient.aspx page and you should get a nice little Hello World
popup.

Enhance as you see fit. Another think you may want to think about is
caching. You may want to make sure to add directives to prevent the browser
from caching the JSSource.aspx page. Also, if it's being deployed on a
client site, they could open the site's dll with something lik Reflector and
see your source, so you might want to obfuscate that.

It's a little simple I agree, but it's the best I could come up with on such
short notice.

BTW - Never accept never as an answer. When they say it can't be done, be
like me and say why not. Sometimes ignorance is bliss.

Dave

Hello all,

I have an asp.net web application with tons of Java script files.

I would like to protect the Java Script somehow so it can't be
seen by a remote user.

I found several 3rd party solutions, but I thought I remember that
there was a way to 'compile' java script and use that instead of
the actual script?

The problem I have with 3rd party solutions is two-fold:

1) I'm cheap

2) I'm going to install the app on a customer's server for use by
their customers. I don't want them (my customer) or their customers
to have access to the java script files.

I think a 3rd party solution would work fine for me on my server, but I
can't really give the customer the app and the 3rd party protection thingy
and say: install this so you can't see my code (because they might not!).

Anyway, I'm open to any solution.

Thanks
kpg

 

[David Young]

Scott,
Correct. I believe I stated "aside from packet sniffing and decompiling the
dll" (or looking at it in .NetReflector). I fully understand that, however,
the comment was made that:

"If the browser can read it, so can you. So can anyone. It is not
possible.".

I just disagreed with that philosophy and posted a solution that discounts
that. To get at it, they would have to get the dll or capture the packets
as they came across the wire.

I also agree that packet sniffing and decompiling are both issues that have
to be overcome. However, I also know that there are ways to address both
those issues as well.

For instance:
a) Build a COM object in C++ that contains the JS code and build a callable
wrapper to make it accesible to your ASP.net code. (haven't actually done
this so I'm not sure what you'll see in reflector) And yes, I know if you
have Borlands old decompiler ....

b) Use web services to have the client app contact you're app to get the JS
code. (that keeps them from getting your dll).

I'll probably come up with more.

I do have to agree with Kevin on one point. Why? But then, that's not for
me to question.

Thanks for your response though.

Hi David:

At best though, this is security through obfuscation. Someone
determined to see the underlying javascript will get to it.

System.Net.WebClient client = new WebClient();
client.Header.Add("Referer", "http://AUrlToSpoofOnYourSite.com");
byte[] buffer = client.DownloadData ("http://TheUrl/JSScript.aspx");
Console.WriteLine(Encoding.ASCII.GetString(buffer));

--
Scott
http://www.OdeToCode.com/blogs/scott/

Ok, here's your solution:

Create an aspx page. Call it "JSSource.aspx"
Open the HTML view and delete everything except the contents of the <@ Page>
directive.
Open the Code Behind for this page.
Add two using statements:
using System.Text;
using System.IO;
Add the following to the Page_Load handler:
private void Page_Load(object sender, System.EventArgs e)
{
// Put user code to initialize the page here
string script;
StringBuilder b = new StringBuilder();
b.Append("function doOnLoad(){");
b.Append("alert('hello there');}");

if(Request.UrlReferrer==null||Request.UrlReferrer.Host!="localhost")
script = "var youbite = 'eat me';";
else
script = b.ToString();

ASCIIEncoding encoder = new ASCIIEncoding();
byte[] buffer = encoder.GetBytes(script);
Response.ContentType = "text/javascript";
Response.OutputStream.Write(buffer,0,buffer.Length);
}

Then create a new aspx page. Call it JSClient.aspx
Open the HTML View and add the following betweent the </HEAD> and <BODY>
tags.
<script Language="javascript" type="text/css"

in the Body tag, add the following onLoad="doOnLoad();"

Then create a third page. Call it "Launch.aspx" add a hyperlink control, or
a simple <A href> tag. the NavigateUrl = "JSClient.aspx"

Build and launch the "Launch.aspx" page. When you click on the link, it'll
load the JSClient.aspx page and you should get a nice little Hello World
popup.

Enhance as you see fit. Another think you may want to think about is
caching. You may want to make sure to add directives to prevent the browser
from caching the JSSource.aspx page. Also, if it's being deployed on a
client site, they could open the site's dll with something lik Reflector and
see your source, so you might want to obfuscate that.

It's a little simple I agree, but it's the best I could come up with on such
short notice.

BTW - Never accept never as an answer. When they say it can't be done, be
like me and say why not. Sometimes ignorance is bliss.

Dave

 

[Kevin Spencer]

In light of all that. If you can show me where I'm wrong, I'll gladly

admit
my error and apologise for the ranting. Otherwise...I'm done here.

In that case... you're done here.

I don't care if you apologize or not. My feelings aren't hurt. I have the
skin of a rhinocerous.

By not admitting your mistakes, you only hurt yourself.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.

 

[David Young]

Show me where I'm wrong and I'll gladly admit it.
And "Because I said so" just won't cut it.

 

[Guest]

I wanted to chime in on the invective between David Young & Kevin Spencer by
suggesting that Shakespeare probably best summed it up here guys:

"Light seeking light doth light of light beguile."

It's one of my favs and probably best characterizes your exchanges regarding
this issue.

Brice

 

[David Young]

True.
Would have been almost comical had it not been such a sad display.

Dave

 

[kpg]

Thanks for your input and example.

Another programmer here discovered a simple and effective solution
to the problem. It won't prevent the 'determined' hacker either but it
does accomplish my main objective - to prevent the java script from
being viewed when the page is saved. (that just makes it too easy).

Here it is:

The javascript is in a seperate .js file, and the include line that normally
looks something like:

<script language="javascript" src="/file.js"></script>

is encoded to look like:

<script language=javascript>document.write(unescape(%3F%22...))</script>

where unescape is a javascript function that decodes the text (not a simple
hex encoding)

Suprisingly (to me) this prevents the actual javascript file from being
saved
and prevents the end users from veiwing the name of the jacascript source
file.

I'm a little unclear at this time where the unescape function is declared
but I
could not find it locally when veiwing a page downloaded with this
technique.

If anyone is interested in more details I will acquire them, just ask.

PS

Although not everything is possible, there are always options. ;-)

kpg

 

[Brian Munroe]

Here it is:

The javascript is in a seperate .js file, and the
include line that normally looks something like:

<script language="javascript" src="/file.js"></script>

is encoded to look like:

<script language=javascript>
document.write(unescape(%3F%22...))
</script>

where unescape is a javascript function that
decodes the text (not a simple hex encoding)

Suprisingly (to me) this prevents the actual
javascript file from being saved and prevents
the end users from veiwing the name of the
jacascript source file.

Just to chime in here real quick!

If I understand what you are doing above, you are basically unescaping
a serialzed, escaped version of all your javascript functions, which
would normally go it file.js?

Using document.write doesn't work, atleast for me. I had to use eval
to change it back into javascript that the browser would recognize, for
example:

<script type="text/javascript">

// mystring contains the escaped version of my javascript function.
//
mystring = escape("function sayHi(){alert(\"hello\");");
eval(unescape(mystring));

I'm a little unclear at this time where the unescape
function is declared but I could not find it locally
when veiwing a page downloaded with this technique.

unescape() is the converse of escape(), which are both functions built
into javascript core. If the person is knowledgable enough to need a
reason to steal your javascript, they are sure as hell going to know
how to to unescape the escaped string to retrieve the clean javascript,
but I am not touching why or why you shouldn't obfustication your code
with a 10' pole.

-- brian

 

[Brian Munroe]

[snip]

sorry, a little typo..here is the corrected version:

<html>
<body>

<script type="text/javascript">
// url encode sayHi()
//
mystring = escape("function sayHi() { alert(\"hello\");}");
eval(unescape(mystring));
</script>

<script type="text/javascript">

// This is what the encoded javascript looks like
//
document.write(mystring);

// here is the function in action, available to the browser
//
sayHi();
</script>

</body>
</html>

 

[Dan]

This does work and I've been using it for a while

Just put a response.end in sever tags at the top of the file in case someone
wants to serve it directly, something like:

<html>
<title>Bad request method</title>
<body>
Error - You are attempting inappropriate access to files on this server!<br>
Your IP address has been logged, and a reverse lookup has been done. The
results have been emailed to the webmaster.
</body>
</html>
<%
response.end
End If
%>


Dan

 

[Guest]

Problem: Jscript provided to client in discernable form.
Asset/Threat Analysis
0) View Source : UI/DHTML block
1) Js file link reference : prevent direct access via isapi filter|dynamic
rendering with check (asp/aspx/web svc)
2) Js content pulled from browser cache or intercepted with non SSL : SSL
for interception, "encode" for obfuscation
3) Decode encoded jscript C/O $29.99 utility available via internet : ...

Solution:
Strongly Encrypt js file content (VS encode) as function of "session"
(do misc AES homework for the background)
Generate AES Cipher Key and Ini Vector for "session" with "time" info
Call encrypted JS text via script (xmlhttp, web svc, etc)
Decrypt in client
Dynamically insert script element
(wink wink) Kill/Overwrite cookie with IV info

....google javascrypt and check out (msdn) AES resources for the details; or
check the academic publishing and (carefully!) roll your own implementation
of AES in jscript

 

[Guest]

Hi David

I don't quite understand what you are saying here.

First of all, doesn't Javascript have to be downloaded to the browser in
plain format for it to be executed? Will the browser execute "compiled" code?

Secondly, if the code is set to to a file, will the file not be in the local
cache where it can be viewed?

Regards

Manjit Dosanjh