Javascript Cloaking | Javascript theft
Results 1 to 5 of 5

Thread: Javascript Cloaking | Javascript theft

  1. #1
    Junior Member
    Join Date
    Oct 2001
    Posts
    13

    Javascript Cloaking | Javascript theft

    I found a way to cloak the javascript from the HTML output,
    there is no way to find the Javascript source in the HTML output,
    not even by following links or sources( e.g src="javasource.js ) you can find the source of the javascript.

    This way to hide/cloak javascripts is to hide it in cookies on the clients machine. If you have with a individual that really want to have the javascript he will find it by looking through the cookies on the local machine. But the average javascript stealer are not willing/good enough to do alot of effort to get the script, they just copy cool things they see, but now they cannot do that anymore, because it is hidden in his cookies.

    If you combine this with Expire date on the cookie, the cookie will be dead before he got the oppurtunity to copy the javascript code from it. ( Don't know if all browsers delete expired cookies )
    And therefore he will not be able to reuse/steal your copyrighted javascript code.

    You can also combine this with encryption to make it more harder to get the sourcecode of your precious javascripts.

    Under you have the example code using JavascriptCloaker with ASP.

    You can use this with ASP,PHP,ColdFusion or whatever you want, as the cookie is set it all done on the client side.

    <Code>

    <%@ LANGUAGE = JSCRIPT %>
    <%
    Response.Cookies( "AlertTest" ) = "<Script>\r\nalert( \"Javascript have been cloaked\" )\r\n</Script>\r\n";
    %>
    <html>
    <head>
    <title>Javascript Cloaking using cookies to hide javascripts</title>
    <script>
    function javascriptCloaker( CookieName ) {

    // @Author Zrekam of badsystems.com 2003

    var cookie = document.cookie;
    var checkCookie = cookie.indexOf( "; " + CookieName + "=" );

    if( checkCookie != -1 ) {
    var start = checkCookie + CookieName.length + 3;
    var end = 0;

    var testEnd = cookie.indexOf( ";", start );

    if( testEnd != -1 ) {
    end = testEnd;
    }
    else{
    end = cookie.length;
    }

    var cookieInfo = cookie.substring( start, end );

    cookieInfo = cookieInfo.replace( /%3C/g, "<" );
    cookieInfo = cookieInfo.replace( /%3E/g, ">" );
    cookieInfo = cookieInfo.replace( /%0D/g, "\r" );
    cookieInfo = cookieInfo.replace( /%0A/g, "\n" );
    cookieInfo = cookieInfo.replace( /\+/g, " " );
    cookieInfo = cookieInfo.replace( /%3D/g, "=" );
    cookieInfo = cookieInfo.replace( /%28/g, "(" );
    cookieInfo = cookieInfo.replace( /%22/g, "\"" );
    cookieInfo = cookieInfo.replace( /%29/g, ")" );
    cookieInfo = cookieInfo.replace( /%3B/g, ";" );
    cookieInfo = cookieInfo.replace( /%2E/g, "." );
    cookieInfo = cookieInfo.replace( /%3A/g, ":" );
    cookieInfo = cookieInfo.replace( /%5C/g, "\\" );
    cookieInfo = cookieInfo.replace( /%2C/g, "," );
    cookieInfo = cookieInfo.replace( /%2F/g, "/" );
    cookieInfo = cookieInfo.replace( /%5B/g, "[" );
    cookieInfo = cookieInfo.replace( /%5D/g, "]" );
    cookieInfo = cookieInfo.replace( /%27/g, "'" );
    cookieInfo = cookieInfo.replace( /%2A/g, "*" );
    cookieInfo = cookieInfo.replace( /%2D/g, "-" );
    cookieInfo = cookieInfo.replace( /%5F/g, "_" );
    cookieInfo = cookieInfo.replace( /%21/g, "!" );
    cookieInfo = cookieInfo.replace( /%26/g, "&" );
    cookieInfo = cookieInfo.replace( /%40/g, "@" );
    cookieInfo = cookieInfo.replace( /%23/g, "#" );
    cookieInfo = cookieInfo.replace( /%24/g, "$" );
    cookieInfo = cookieInfo.replace( /%25/g, "%" );
    cookieInfo = cookieInfo.replace( /%7B/g, "{" );
    cookieInfo = cookieInfo.replace( /%7D/g, "}" );
    cookieInfo = cookieInfo.replace( /%3F/g, "?" );

    document.write( cookieInfo );
    }
    }
    </script>
    </head>
    <body>
    Cloaked.
    <script>
    javascriptCloaker( "AlertTest" );
    </script>
    </body>
    </html>

    </Code>

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    It's a complicated, possibly inefficient and unreliable way of getting scripts into the browser.

    Add that to the fact that any sufficiently determined adversary can get the code anyway.

    Also there is probably a limited length for a cookie.

    So I wouldn't bother if I were you

    Slarty

  3. #3
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027
    Considering the encoding is done with javascript....you can get the code.
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

  4. #4
    Banned
    Join Date
    Jul 2003
    Posts
    325
    Why not try server side scripting if possible? It *can* be more secure.

  5. #5
    Junior Member
    Join Date
    Oct 2001
    Posts
    13
    It is actually saving the user of bandwidth because he only need to load the script once into the cookie, when caching of the page is off.

    It may be a more complicated to use compared to regular placing of javascript, but it is more secure, because the regular script stealer isn't interested in doing alot of work getting the complete script. So if you have stored the script into one or more cookies depending on the size of your script, then you have cloaked your script away from the webpage, where everyone looks for the scripts. Here many newbies/script rippers fall off because they lack the knowledge to know where the script are hidden.

    Even many experienced webdevelopers would not bother to put togheter a script that is put into multiple cookies.

    My point by posting this was that there is many ways to secure your scripts from being stolen.
    If you have a cool new script you want to protect a little this is a possible way.

    It can also be smart to have field validation in this cookie so people can't at firsthand see how you check your form fields for abuse.

    Another way to protect your scripts, or combined with this is to use the browsers No cache methods in the Meta tags, and also set a session variable that tells if the page is loading or not, if the page is loading the script is allowed to be loaded, as a src="/script/myscript.js" not included in the html page.

    Drunk: Server side scripting is not possible to use on the client side, this are scripts that does e.g dynamic user interactions on a page, maybe a javascript menu or something like that.
    It is very easy to steals/rip off scripts nowadays, so this is just another way to protect your client scripts.

    Many people have used other methods, like putting alot of whitespaces to get the script long away.

    I don't say this is the best most efficient way, but it is better than having the code in the html file.

    I just like fumbling around with new ideas.

    Do you guys think this can be used to load scripts into a cookie and then be able to run/execute this scripts from the local area zone in internet explorer, then you will be able to silenty load programs into a clients machine, or run already available programs on the clients machine, pretty scary if that works.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides