WebApp Sec mailing list archives
RE: Web Forms filtered with SQL constraints
From: focus () karsites net
Date: Fri, 8 Oct 2004 10:31:57 +0000 (GMT)
To protect your code, you could try using a JavaScript Obfuscator. This will make your JS very hard to understand. Or write some sed, perl and bash scripts to obfuscate your own JS code. (This is not to enable client-side security checking, just to protect your code from other peoples prying eyes!) I have written a set of beta scripts to obfuscate my php code. Each variable name begins with "$v_" in the source code. The scripts use sed to replace the variable name "$v_my_var_names, with "$vn. So $v_this_var becomes $v1; $v_that_var becomes $v2. etc, etc. Same applies to php functions. The function names are replaced with fn for the name, where n is the sequence number as the conversion takes place. Also, all line endings are removed, making the source code effectively one long line. Plus other mods such as stripping out all comments. Anyone trying to alter the source code will have a pretty tough time trying to debug it, as the php interpreter flags all error messages as being on line 1 :-). **BEFORE OBFUSCATING** <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- ======================================================================= --> <!-- Copyright (c) 2000-2004 Keith Anthony Roberts U.K. ALL RIGHTS RESERVED. --> <!-- ======================================================================= --> <!-- php4 include file containing user buttons for muxreg homepage --> <!-- last updated 15-JAN-2004 --> <!-- use list.com to print this out - or required sections thereof --> <!-- ========================================================== --> <HTML> <HEAD> <META name="description" content="Free online mutual exchange register for Kings Lynn area and surrounding villages. For use by council or housing association tenants only"> <META name="keywords" content="'Kings Lynn', mutual, exchange, register"> <META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <TITLE> </TITLE> </HEAD> <!-- ========================================================== --> <BODY> <?php // into php4 mode /*-----------------------------------------------------*/ /* Anyuser return to muxreg website home page button */ /*-----------------------------------------------------*/ function anyuser_HOMEPAGE_button($v_text) { // declare the following variables as global to access them global $v_host_name; global $v_debug_value; global $v_table_output; global $v_advcd_search; ?> <!-- back into HTML mode --> <FORM ACTION="./muxreg.hml" METHOD="POST"> <P ALIGN=CENTER> <INPUT TYPE="SUBMIT" VALUE="<?php echo $v_text; ?>"> </P> <!-- ========================================================== --> <!-- pass the following hidden variables with the form --> <INPUT TYPE="HIDDEN" NAME="v_host_name" VALUE="<?php echo $v_host_name; ?>"> <INPUT TYPE="HIDDEN" NAME="v_debug_value" VALUE="<?php echo $v_debug_value; ?>"> <INPUT TYPE="HIDDEN" NAME="v_table_output" VALUE="<?php echo $v_table_output; ?>"> <INPUT TYPE="HIDDEN" NAME="v_advcd_search" VALUE="<?php echo $v_advcd_search; ?>"> <!-- ========================================================== --> </FORM> <?php // back into php mode } // end of function anyuser_HOMEPAGE_button($v_text) /*-------------------------------------------------------------*/ /*-----------------------------------------*/ /* About this site and User Guide button */ /*-----------------------------------------*/ function ABOUT_SITE_button($v_text) { // declare the following variables as global to access them global $v_debug_value; global $v_table_output; global $v_advcd_search; ?> <!-- back into HTML mode --> <FORM ACTION="./about.hml" METHOD="POST"> <P ALIGN=CENTER> <INPUT TYPE="SUBMIT" VALUE="<?php echo $v_text; ?>"> </P> <!-- ========================================================== --> <!-- pass the following hidden variables with the form --> <INPUT TYPE="HIDDEN" NAME="v_debug_value" VALUE="<?php echo $v_debug_value; ?>"> <INPUT TYPE="HIDDEN" NAME="v_table_output" VALUE="<?php echo $v_table_output; ?>"> <INPUT TYPE="HIDDEN" NAME="v_advcd_search" VALUE="<?php echo $v_advcd_search; ?>"> <!-- ========================================================== --> </FORM> <?php // back into php mode } // end of function ABOUT_SITE_button($v_text) /*-------------------------------------------------------------*/ The above code AFTER OBFUSCATING <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <HTML> <HEAD> <META name="description" content="Free online mutual exchange register for Kings Lynn area and surrounding villages. For use by council or housing association tenants only"> <META name="keywords" content="'Kings Lynn', mutual, exchange, register"> <META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <TITLE> </TITLE> </HEAD> <BODY> <?php function f107($v159) { global $v97; global $v32; global $v153; global $v4; ?> <FORM ACTION="./muxreg.hml" METHOD="POST"> <P ALIGN=CENTER> <INPUT TYPE="SUBMIT" VALUE="<?php echo $v159; ?>"> </P> <INPUT TYPE="HIDDEN" NAME="v97" VALUE="<?php echo $v97; ?>"> <INPUT TYPE="HIDDEN" NAME="v32" VALUE="<?php echo $v32; ?>"> <INPUT TYPE="HIDDEN" NAME="v153" VALUE="<?php echo $v153; ?>"> <INPUT TYPE="HIDDEN" NAME="v4" VALUE="<?php echo $v4; ?>"> </FORM> <?php } function f1($v159) { global $v32; global $v153; global $v4; ?> <FORM ACTION="./about.hml" METHOD="POST"> <P ALIGN=CENTER> <INPUT TYPE="SUBMIT" VALUE="<?php echo $v159; ?>"> </P> <INPUT TYPE="HIDDEN" NAME="v32" VALUE="<?php echo $v32; ?>"> <INPUT TYPE="HIDDEN" NAME="v153" VALUE="<?php echo $v153; ?>"> <INPUT TYPE="HIDDEN" NAME="v4" VALUE="<?php echo $v4; ?>"> </FORM> <?php } Theses scripts are still in beta, and a bit buggy, but if anyone wants a copy for downloading and experimenting with, they are at: http://www.karsites.net/KAR/websites/pub/computing/obfs/ The main bash script lives at: http://www.karsites.net/KAR/websites/pub/computing/obfs/grep/encrypt-muxreg-website Maybe we can write a GPL'd set of encryption scripts, based on what I have allready started, if anyone wants to continue this as a project with me. Any questions, please email me. Regards - Keith Roberts On Wed, 6 Oct 2004, V. Poddubnyy wrote:
To: 'Bénoni MARTIN' <Benoni.MARTIN () libertis ga>, webappsec () securityfocus com From: V. Poddubnyy <vpoddubniy () mail ru> Subject: RE: Web Forms filtered with SQL constraints Hello!But I have 2 questions: - How can I hide my Jscript filtering from the user ? When I want to see the source, everything is diaplayed, quite normal :( ...
Current thread:
- Web Forms filtered with SQL constraints Bénoni MARTIN (Oct 05)
- Re: Web Forms filtered with SQL constraints Ian (Oct 07)
- Re: Web Forms filtered with SQL constraints RSnake (Oct 07)
- Re: Web Forms filtered with SQL constraints Saphyr (Oct 09)
- Re: Web Forms filtered with SQL constraints tie (Oct 07)
- Re: Web Forms filtered with SQL constraints Steven Boone (Oct 07)
- RE: Web Forms filtered with SQL constraints V. Poddubnyy (Oct 08)
- RE: Web Forms filtered with SQL constraints focus (Oct 09)
- Re: Web Forms filtered with SQL constraints Matt Fisher (Oct 09)
- Re: Web Forms filtered with SQL constraints yahoouec (Oct 12)
- <Possible follow-ups>
- RE: Web Forms filtered with SQL constraints Mike Allison (Oct 05)
- Netware ichain Taki Waki (Oct 06)
- RE: Netware ichain Eyal Udassin (Oct 07)
- Netware ichain Taki Waki (Oct 06)
- Re: Web Forms filtered with SQL constraints Tom Stowell (Oct 07)
- RE: Web Forms filtered with SQL constraints Bénoni MARTIN (Oct 09)
- RE: Web Forms filtered with SQL constraints RSnake (Oct 12)
- RE: Web Forms filtered with SQL constraints Dr Death (Oct 12)
- Re: Web Forms filtered with SQL constraints Emil Filipov (Oct 14)
(Thread continues...)
- Re: Web Forms filtered with SQL constraints Ian (Oct 07)