I have a few questions regarding JavaScript obfuscation on client side.
First question:
What is the best tool or best three tools which ones you could suggest for this operation?
Second question:
How developers should debug such code (in example with firebug) when extreme situation appears in the production if the code is obfuscated?
P.S. - I know that it's bad practice to debug in production, but we had some emergencies and experienced sometimes such situations.
Thanks for any help!
1) closure compiler with advanced optimizations
2) First double their pay, then show them jsbeautifier.org
If you are looking for obfuscation I would say JScrambler. They also have a comparison table on the site that lists other well known javascript obfuscators.
For debugging you could use something like SpiderMonkey or Rhino. Firebug is very good to retrive the decoded source code when encoding is applied.
I think IE8 javascript debugger (under the developer tools) actually re-indent/re-format your code so its readable again.
Not sure if this feature has been added to Firebug, haven't used it lately, but I really wanted this feature a while ago.
Our SD ECMAScript Obfuscator retains a map of how it obfuscated your code. If you do client-side, obfuscated-code debugging, that map will tell which symbol in the original source is it actually referencing.
If you want to debug "nicely formatted" obfuscated code, you can get that from the ECMAScript Obfuscator, by first obfuscating (getting code with all layout lost), and then running back through the obfuscator to prettyprint it (it has this option).
A third option is to generate the obfuscated code in "debugging" mode. The obfsucated result is identifcal to what the production obfuscation is, except that each scrambled variable is named "XXX". This makes understanding the code being debugged just as easy as the original, while validating that the obfuscation renaming is correct. After you've done your debugging, you simply re-obfuscate in production mode.
Related
I looking for python/JavaScript IDE where I can put breakpoints. Currently I'm using coderunner but I can not put break points. I'll really appreciate you recommendations
I'm not an expert on Python, but I do work as a web developer and use JavaScript regularly. For that side of things, probably the easiest way is to use Chrome/Firefox debugger tools. You can do this manually by finding the line of code in the console and clicking (F12->Sources tab->Content scripts->desired script), or using the 'debugger' statement to toggle debug mode (F12->Console tab->type 'debugger' then return) and step through to what you need.
Additionally, if you're looking for an actual IDE, the only thing I've found online is the following. Here's the relevant part of that article. I've never used it (and probably never will), but there it is all the same.
Webstorm by IDEA supports setting breakpoints in the IDE. This requires launching the JavaScript debugger from IDEA. It must be configured in advance so it understands how to map JavaScript on the development server to JavaScript files in your environment. IDEA will automatically install a Chrome or Firefox plug-in to facilitate. This is pretty new technology and can be touchy.
I use PyCharm. It's a heavyweight IDE, so expect more features than you probably want if you're just getting started. It has a very good integrated debugger. You'll be able to break into both your Python and Javascript. Further, you'll see a pretty nice productivity jump with all the editing support like auto complete and intellisense. My advice is to stick with print() and logging as long as you can. For me getting a firm grasp of packages, python environments, virtualenv, command line tricks and git all before committing to the PyCharm IDE helped me adopt it with more confidence I was getting the value of all the integration.
I am developing a system with JavaScript, which I want to let it work only on common web browsers (like IE9, Firefox, Chrome, Safari, Opera, ...).
First, I've compressed my code using Closure library+Closure compiler with the ADVANCED_OPTIMIZATION option, generating a code which slightly looks difficult to understand. Unfortunately, the codes can easily be converted to something beautiful (and readable) by using tools like this.
Second, I've chosen algorithms which are easy to read, but difficult to understand. For example, scripts that are decoding Reed-Solomon codes may be difficult to understand for those who has never developed such kind of algorithms before. Of course this solution is not perfect, because ones who have deep knowledge to Reed-Solomon codes may figure out what's written inside, even if the code is compressed and has no comments.
But the major problem is that my complicated code may run easily just by copying-pasting to Non-Web browser javaScript environments like Rhino+env.js, PhantomJS, and so on.
Please teach me the usable techniques to let my code ignore non-web browser environments, if there are .
I don't really understand the point of this question, but it sounds like your worry is that you don't want people to steal your JS that you return as part of your site.
If that's the case, there is only one real solution: do the work on the server.
You can make it hard to run the code but in the end, it's source code that you give to the world. Any kind of obfuscation and encryption must be reversed before the browser can execute it which means that anyone can eventually reverse engineer the code.
If you don't want this / can't have it, then the browser isn't a suitable tool for you. You can try to write a desktop application or build an appliance (= code which is protected by hardware) but that just raises the bars for reverse engineering. People do grind off the cover off chips to find out how they work.
From my experience, you can make it somewhat hard to "steal" your valuable data but you can't prevent it. Other downsides that you should take into account:
Paying customers will be offended by bugs and limitations that you impose on them (pirates will simply remove your copy protection).
Hollywood spent millions of dollars in DVD CSS and HDMI. Both protection systems were circumvented in a relatively short time. How much money do you plan to spend?
Maybe your time and energy is spent better on providing a better service to customers so they don't feel any need to "steal" from you.
Add this to the beginning of your script:
if(typeof window === 'undefined')
throw new Error('This script is meant to run in a web browser');
Obfuscate it as you see fit.
If you are doing this for security purposes it is a pointless endeavour. Everything you do in Javascript running on the users' browsers can be read and modified by the users. Not only that, but it is very easy for them to do so. Any data you don't want the users to see should not be sent to their browser at all. All processing should be done server-side.
Something that can at least scan a batch of .js files looking for eval statements and other questionable code. Maybe just a regex pattern would do it, but I'd like to find a more sophisticated (and regularly maintained) tool.
old topic but new tool :
ScanJS, developed by mozilla in order to check the Firefox OS security.
https://github.com/mozilla/scanjs
Have you tried Douglas Crockford's JSLint? Although it doesn't scan your code for security problems, however, it does alert you on "eval" statements. OTOH, Predrag Tomasevic has wrote a JavaScript Verifier based on JSLint that can be integrated with Visual Studio (read more on this here).
I'm not aware of any Open Source tools that conduct static analysis of JavaScript.
Grepping for eval() likely isn't going to help for anything other than very simple, very obvious mistakes. It'll be even more difficult to analyze if the script has been minified or obfuscated because you'll be hard-pressed to determine if the argument is being used safely or not.
There are plenty of security problems in JavaScript that rely on the interaction with the DOM. Grepping for eval() might work, but it'll miss other execution points like hrefs or event handlers that might be attacked, e.g. href=javascript:xss or onFoo=xss. You really need a tool that deals with JavaScript and the DOM, not just a JavaScript console.
IBM/Watchfire recently released a paper about a JavaScript analyzer they've created. The paper provides details on results rather than implementation. A commercial tool might not be the way you want to go, but the paper should help shed more light on the challenges of doing this well.
This tool from Facebook seems promising.
https://github.com/facebook/jsgrep
I'm new to JScript coming from a C++ world.
I'm quite surprised that expressions are evaluated at run-time. What I mean is if I added a function and didn't provide its definition, the program would "crash" (in the debugger) when I run it.
It's also funny how I can just type gibberish anywhere and only at run-time the debugger would complain.
But the "live" page wouldn't!
Is there any JScript add-on tool that checks its syntax while we type? I'm currently using Aptana Studio.
Or is the debug button equivalent to compiling in the web world? But then what if you had million lines of code and some little function was not defined or misspelled? That's a scary thought to me. =S
JSLint is considered by many to be the best syntax checker. I don't know that there is an add-in for your particular situation, but you should be able to add it to your build process pretty easily.
Update: Apparently there are some established techniques for integrating it with Aptana.
Welcome to the world of scripting!
My team's current project involves re-writing retrieval libraries in JavaScript. We are basically looking for a setup which enables us to apply test-driven development methods.
So far we plan to use Vim to write the code, no fancy IDE. For generating output we would use Spidermonkey's shell environment. JSLint could serve as a moderate syntax checking tool.
The essential question remains: How do you develop JavaScript (browser-independent) programs?
If we are already on the right track, then maybe you can supply us with a few tips and tricks.
You can test your code in Spidermonkey or Rhino (an older JS interpreter in Java), but you won't really know which browsers it works in until you test your scripts in them!
I agree with the earlier poster, using a browser-independent library like jQuery is probably a good idea.
I have not used Spidermonkey, but I know Rhino has a good debugging GUI, allowing the usual: setting breakpoints, watches, and stepping through code.
Only testing you'll make your JavaScript code browser-independent.
If you have the chance to rewrite it all, you might consider jQuery.
It's essentially browser agnostic. Or at least it requires much less object sniffing than plain javascript.
Yes,I'm using the same environment to develop standalone JS apps (vim + SpiderMonkey). I only would add up, that I've made small in-browser IDE for reading/writing/launching JS scripts on the server-side. Sometimes it's very helpful. Also, I'm looking for using WXJavascript project, which seems to be very promising.