WebApp Sec mailing list archives
Re: Web Forms filtered with SQL constraints
From: "saphyr" <saphyr () infomaniak ch>
Date: Fri, 15 Oct 2004 11:13:20 +0200
Hi list ! HTML code source can be obfuscated through a javascript method. BUT obfuscation only means what it means: obfuscation and neither 'encryption' nor 'hashing'. Javascript has access to the document object model at runtime. Many document childs do have some 'value' or 'text' or even 'innerhtml' members, which can be modified at run time. Here's an example of what you might be interrested into. Please take assumption that I quite never code in javascript so that this only a proof of concept, and might have many errors in it... ---------------------jsscript.asp---------------------------- var longstring = "iucpoint48cn09450945u90newuwpio.... ... many lines of longstring.... dfjkséfkj"; function decrypt(astring) { //some decryption algorithm here } ---------------------jsscript.asp---------------------------- ---------------------obfuscated.html---------------------------- <script src="jsscript.asp"> <script> var contentComponent = document.getElementById("pagecontent"); contentComponent.innerHTML = decrypt(longstring); </script> <div id="pagecontent"> </div> ---------------------obfuscated.html---------------------------- The game here is to generate the 'jsscript.asp' dynamically in order to put the encrypted string into it. The hacker will have to understand the decryption algorithm to decipher the text. Assuming the decryption algorithm should be clearly accessible, this method should only be used as an end-user protection measure. Any good hacker will quickly find the way to reverse the decryption algorithm. my 2 swiss francs.. .antoine ------------oOoo---Ôô----ooOo--------------------------- http://www.nxtg.net/saphyr/ (blog perso) http://www.nxtg.net/is/ (blog - fr - communication web) http://dotnetjunkies.com/weblogs/afontes/ (blog - fr - communication web) E-mail: monprenom () mondomaine net -------------------------------------------------------------
Current thread:
- Netware ichain, (continued)
- Netware ichain Taki Waki (Oct 06)
- RE: Netware ichain Eyal Udassin (Oct 07)
- Netware ichain Taki Waki (Oct 06)
- Re: Web Forms filtered with SQL constraints Tom Stowell (Oct 07)
- RE: Web Forms filtered with SQL constraints Bénoni MARTIN (Oct 09)
- RE: Web Forms filtered with SQL constraints RSnake (Oct 12)
- RE: Web Forms filtered with SQL constraints Dr Death (Oct 12)
- Re: Web Forms filtered with SQL constraints Emil Filipov (Oct 14)
- RE: Web Forms filtered with SQL constraints Michael Silk (Oct 12)
- RE: Web Forms filtered with SQL constraints Michael Silk (Oct 12)
- RE: Web Forms filtered with SQL constraints Bénoni MARTIN (Oct 14)
- Re: Web Forms filtered with SQL constraints saphyr (Oct 15)
- Re: Web Forms filtered with SQL constraints RSnake (Oct 16)
- Re: Web Forms filtered with SQL constraints saphyr (Oct 15)