lance_haoh — 2013-04-11T03:06:04-04:00 — #1
Hi. I am doing some research on JS and PHP code obfuscation. It seems that there are many methods to do this: base64, gz_inflate, etc. Custom algorithms could even be used for obfuscation purposes. I am simply overwhelmed by the number of obfuscation techniques.
I have two questions which I am unsure of:
- How do we detect obfuscated code since there are so many algorithms that could be used?
- How do we run obfuscated code? Do we need to de-obfuscate it first?
I apologise if my questions are amateur. I am just a beginner in Computer Security.
logic_earth — 2013-04-11T04:07:52-04:00 — #2
First and foremost. DO NOT USE code obfuscation. It is just worthless.
1) You can detected obfuscated code easily, its looks like a mass of random letters and number and other things. Detecting what obfuscating algorithm requires reversing the de-obfuscated function.
2) Depends on how it was obfuscated, is some cases yes in others no.
In either case. Do not bother.
wwb_99 — 2013-04-12T11:11:03-04:00 — #3
Security-wise it is no help -- it is a poor attempt at Security by Obscurity which is very little security when it comes down to it.
mittineague — 2013-04-12T14:16:15-04:00 — #4
I agree with not obfuscating code.
This is not to say you shouldn't consider minification, which has some similarities in that it is difficult for people to read.
jQuery is a good example of how much file weight can be saved by minification. But I sure wouldn't want to work with the minified version.