Decoding obfuscated Javascript


SANS had recently a posting about methods to decode obfuscated Javascript, and I just wanted to mention 2+1 tools here:

  • In Firefox you can use the View Source Chart extension to view the source after the javascript has executed. There is also the versatile Firebug, but IMHO that’s an overkill for this.
  • For Internet Explorer there is the Internet Explorer Developer Toolbar which is free (as in beer) and as of writing this required no WGA silliness.
  • And the bonus tips: if you are using Firefox, it may be worth to install the User Agent Switcher plugin and to switch to IE, because exploit sites were known for trying to serve up different exploits for different browsers. If you encounter scripts of type JScript.encoded or VBScript.encoded, you should find this tool useful.

Warning! These methods actually execute the script on your machine! They should be used with extreme care, and preferably only in controlled virtual machines or computers not connected to network.

, ,

4 responses to “Decoding obfuscated Javascript”

  1. It is always a game of economics. Spammers will go after the “low hanging fruit” (that is addresses which can be found simply by searching through the page) until a sizable amount of people start using javascript “encoding”.

    Also, most of these techniques either rely on manual decoding (which isn’t done by spammers because spam is a number game because you have to get very large quantities of emails out to get some response) or are too limited for them to bypass more than just the very basic javascript encoders.

    In conclusion: by using javascript encoders you will be safe for a very long time. Also, you can always use a contact form which is an other nice way to avoid spam resulting from harvesters. Me? I just put out my address as many places I can to see what interesting spam is out there, but I have to say that Yahoo does a pretty decent job of eliminating it.

  2. I need to obfuscate my Javascript code which took me a long time to write and a lot of effort. Can you please recommend a free product that will do this?

  3. As a rule of thumb I don’t recommend solutions like obfuscators, because (in my opinion) if somebody wants to steal your software, s/he will and s/he won’t pay for it (ie. the percent of people who you can “force” to pay by using protection schemes is very, very low).

    This said, I would start with a javascript minimization program, like the YUI compressor: http://www.julienlecomte.net/yuicompressor/

    It will make your code load faster and make it difficult enough reading it to make the occasional inspection hard.

Leave a Reply

Your email address will not be published. Required fields are marked *