Sunday, January 25, 2009

JavaScript Obfuscators

I got some comments and suggestions on this entry so, I have updated it.

There are lots of commercial and open source Javascript obfuscators for legitimate use, such as enhancing the web page performance. Hackers are using the same tools to hide the malicious activity of their Javascript code, here is a small list of some of the available tools:

Free/Open-source JS Obfuscators:
http://www.javascriptobfuscator.com/Default.aspx
http://dean.edwards.name/packer/
http://www.shaneng.net/index.php?n=Main.JavaScriptObfuscator
http://scriptasylum.com/tutorials/encdec/javascript_encoder.html
http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php
http://www.jimmyleo.com/work/FreShowStart.htm

Commercial JS Obfuscators (some has full functional, time-trial versions):
Jasob3:
http://www.jasob.com/
Thicket obfuscator:
http://www.semdesigns.com/Products/Obfuscators/ECMAScriptObfuscator.html
Javascript obfuscator:
http://www.javascript-source.com/javascript-obfuscator.html
Stunnix:
http://www.stunnix.com/prod/jo/
SOC:
http://www.codehouse.com/products/soc/
TrickyScripter:
http://trickyscripter.com/
ESC:
http://www.saltstorm.net/depo/esc/

Quick notes:
- At the end of the day, the obfuscated code will be running on the browser without obfuscation, so this should not be considered as a security feature.
- The only reason from my point-of-view to study obfuscation is by the web filtering vendors to make sure that their internet filtering solutions can decode the obfuscated code before passing it to the end-user.

Some of the obfuscation techniques:
Character encoding, randomization of variables and function names, strings manipulation, comments insertion, code nesting, code shuffling, new line characters and NOPs, and encryption.

No comments: