Hide JavaScript code from the client

SOLAV · #1 December 16th, 2007, 11:46 PM

This is the only working way to completely hide your JavaScript code from the client just like PHP or ASP code.

Here we'll need the help of PHP. Here is the code:
index.php
__________________________________________________ ______

Expand|Select|Wrap|Line Numbers

 <?PHP

    @session_start(); //Start our session.

    if(@!session_is_registered('PrintTheJavaScript')){ //If the session is not registered (and it's not).

        @session_register('PrintTheJavaScript'); //Register the session.

    } // End if(@!session_is_registered('Pri...

    $_SESSION["PrintTheJavaScript"] = true; //Set the session value to TRUE.

?>

Expand|Select|Wrap|Line Numbers

 <html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=windows-1256" />

<title>Hide Javascript Code</title>

<!--Here we call our Javascript page the first time it'll provide us with our javascript code -->

<script language="javascript" src="./javascript.php"></script>

<!--

We call the same page again AND THIS IS SECOND PART OF THE TRICK.

because after we called it the first time it will set the session value to FALSE which mean it will print NOTHING

-->

<script language="javascript" src="./javascript.php"></script>

</head>

    Try to save this page or go straight from your browser to the (javascript.php) page<br>

    and see if you can get my javascript code.<br>

    YOU'LL NEVER CAN.

<body>

</body>

</html>

__________________________________________________ ___________

javascript.php
__________________________________________________ ___________

Expand|Select|Wrap|Line Numbers

 <?php

/*

     ___________________________________________________________

    |                                                                                                        |

    |    Script name: Hide Javascript Code.                                                        |

    |    Script date: 16/12/2007                                                                    |

    |    Script author: Mahr Bakr                                                                        |

    |                        admin@SOLAV.com                                                        |

    |    Script goal: Hiding the javascript code from the client like PHP & ASP        |

    |    Script license: Free for personal and commercial.                                    |

    |    *******************************************************    |

    |    Keep this note or at least point to me as the author of the script            |

    |    *******************************************************    |

    /___________________________________________________________\
 
*/

    @session_start(); //Start our session.

    header("Cache-Control: no-store, no-cache"); //Tell the browser to not cache this page (don't store it in the internet temp folder).

    header("Content-type: text/javascript"); //Let the browser think that this is a Javascript page.

    //If the session value is TRUE that means the client has opened the main page (which creates our session and sets its value to TRUE).

    if ($_SESSION["PrintTheJavaScript"] == true){

        //Now we can print our javascript code using PHP's echo command.

        echo '

        // Here is our hidden javascript source.

        var Something="This is a real hidden Javascript code";

        alert(Something);

        // End of our hidden javascript source.

        ';

    }else{

        //If the client tried to open the page straight from the browser (he is trying to see our hidden code).

        // Print some fake code or don't print anything.

    }

    //Set the session value to false AND THIS IS FIRST PART OF THE TRICK.

    //because we are going to call this page again and it'll print nothing (because $_SESSION["PrintTheJavaScript"] <> TRUE)

    //so even if the client tried to SAVE the page this page will be saved empty.

    $_SESSION["PrintTheJavaScript"] = false;

?>

See if you can get my JavaScript code. You'll never be able to. I hope this will help all of you.

acoder · #2 December 29th, 2007, 10:12 PM

Interesting. I don't know if this is completely foolproof, but this has been asked for in the past and someone may find it useful (even if just to please the boss!). Thanks for posting.

khAttAm · #3 January 7th, 2008, 08:43 AM

I've figured out how to bypass this. Period.

khattam.khattam[â+ +he Râ+e 0f]Gmâ!1[d0t]çöm

acoder · #4 January 7th, 2008, 09:03 AM

Quote:

Originally Posted by khAttAm

I've figured out how to bypass this. Period.

Care to post how?

I personally think it's futile attempting to hide JavaScript from the client anyway. Any security/password code should be on the server-side. The rest of the code may be brilliant, but there's someone out there who's probably written better code and is giving it for free.

khAttAm · #5 January 7th, 2008, 10:08 AM

Quote:

Originally Posted by acoder

Care to post how?

I personally think it's futile attempting to hide JavaScript from the client anyway. Any security/password code should be on the server-side. The rest of the code may be brilliant, but there's someone out there who's probably written better code and is giving it for free.

I personally think that hiding such a script is impossible, because the browser needs to know the script to run... and the code needs to be retrieved.. So even if they make it more secure then anyone with the most basic knowledge of how browser sends the code can easily make an app to view the code.

Anyways, for this case, here's how you can do this in different browsers:

Opera:

Open the page containing the hidden js script http://khoya.atwebpages.com/fakejs/index.php Stop executing scripts for the page.... And reload the page

Then open the location http://khoya.atwebpages.com/fakejs/javascript.php

You will see the hidden JS code.

Firefox:

Disable Javascript. Open the page containing the hidden js script http://khoya.atwebpages.com/fakejs/index.php

Then open the location http://somesite.com/somepath/javascript.php

You will see the hidden JS code.

Other Browsers:

I don't use IE and other browsers, but it should work the same way as it does on Opera and Firefox.

Disable Javascript, and then open the index page or the site containing the script in your browser eg. http://khoya.atwebpages.com/fakejs/index.php Then open the location http://khoya.atwebpages.com/fakejs/javascript.php You will see the hidden JS code.

Any Browser:

Also, you can do this from any browser: Navigate to http://khoya.atwebpages.com/fooljs/index.php

Then enter the http://khoya.atwebpages.com/fakejs/index.php , i.e. the site containing the script and then enter http://khoya.atwebpages.com/fakejs/javascript.php on the 2nd box which is the php containing the hidden script.

Then submit and then you can see the code in a textarea that you can copy.

However, this was a gud attempt, which can certainly scare n00bs away!!

acoder · #6 January 7th, 2008, 12:10 PM

Good stuff. As simple as you like!

gits · #7 January 8th, 2008, 08:39 AM

Quote:

Originally Posted by acoder

I personally think it's futile attempting to hide JavaScript from the client anyway. Any security/password code should be on the server-side. The rest of the code may be brilliant, but there's someone out there who's probably written better code and is giving it for free.

that's really true :) ... the combination of html/css/javascript is a open-source combination per se ... and there is no reason why somebody should hide his javascript-code only for this simple idea ... we get nearly everything from the web itself to build pages, apps whatever for it ... and we should return the favour back to it and its users/developers ... besides that i think there is no reliable way to hide js-code :) ... i'm aware of the requirement that some things have to be hidden ... especially business logic or authentication- and other security or business-relevant things ... but this is a challenge for the developer ... to make a good architecture that makes use of the server- and clientside in a manner that justifies all requirements ... so the client simply shouldn't handle security-relevant things ... and when it wouldn't be security or business relavant ... why hide it then? have a look at that bunch of javascript-frameworks ... even good or bad ones ... you may always use them for free ... and you may extend, modify them or whatever ... and the guys who developed them certainly spent a lot of time for it ... but it is free! i really think ... everything that is coded with javascript is open source ... not only technically but has also to be considered so!!! ... if you don't want it ... make it serverside and don't publish it ... since you cannot avoid publishing/deploying the code :) ... may be with the current ajax-wave in webdevelopment there might be a chance that browsers may be extended to handle js-code in a compiled way or something like that in the future ... but i didn't ever hear about that idea nor i think that this should be done :)

hdanw · #8 February 1st, 2008, 11:37 PM

Quote:

Originally Posted by acoder

Care to post how?

I personally think it's futile attempting to hide JavaScript from the client anyway. Any security/password code should be on the server-side. The rest of the code may be brilliant, but there's someone out there who's probably written better code and is giving it for free.

There can't always be someone better, THere has to be a best somewhere.

There are several reasons to hide code.

Keeping your patents profitable are one of them.

Keeping data sources safe are another.

I have seen web sites that had the View->source button disabled .

Wish I had bookmarked it, becuase when I started looking for how to do that no-one seems to know.

acoder · #9 February 2nd, 2008, 01:46 PM

Quote:

Originally Posted by hdanw

There can't always be someone better, THere has to be a best somewhere.

I meant for the people who usually ask these sorts of questions.

Quote:

Originally Posted by hdanw

There are several reasons to hide code.

Keeping your patents profitable are one of them.

Keeping data sources safe are another.

If you want to keep anything safe, leave it on the server side. As for the actual code, you can make the job harder for anyone who wants to copy by obfuscating or encryting/encoding it.

gits · #10 February 4th, 2008, 09:29 AM

Quote:

Originally Posted by hdanw

Keeping your patents profitable are one of them.

then don't publish them to the client ... writing javascript code is ALWAYS publishing the code to the client, since the code has to be interpreted by the browser ...

Quote:

Originally Posted by hdanw

Keeping data sources safe are another.

this is a very simple architecture-issue - again!: don't publish security relevant things to the client ... don't embed sql, passwords, usernames in javascript-code!! even when using ajax you should build a secure server-application that allow you to call the nessecary services without the need of publishing sensitive data!

Quote:

Originally Posted by hdanw

I have seen web sites that had the View->source button disabled .

so i would simply have to look at the downloaded tempory web-files where everybody could have a look at your code ... even everybody could change it ... so it is simply not reliable to rely on javascript-code for the reasons you mentioned ... so simply don't use it for that!

of course you could make it harder for users to read the javascript-code ... but you cannot avoid it ... it IS not reliable and everybody should be aware of it ... use the technology that suits the requirements ... a Database for storing data, serverside scripting/coding to connect a webfrontend with the database ... and use clientside scripting with javascript to enhance usability but don't code business-logic here!

kind regards

hdanw · #11 February 4th, 2008, 08:34 PM

Quote:

Originally Posted by gits

then don't publish them to the client ... writing javascript code is ALWAYS publishing the code to the client, since the code has to be interpreted by the browser ...

kind regards

I have a situation where I have a lot of processor intensive code, that Can be run on the client side, but I don't want to expose the algo.

Would you recomend a downloadable executable that also processes the web content?

If so, aren't we talking about a Hibred Web Browser? Why don't we build one?

It would be real simple to include a client key in the browser information, that could be used to encrypt "locked" code in php, or asp.net.

The code is then deencrypted on the client and ran while locking the source to prying eyes.

Again its only as safe as keeping the encryption algorithms hush hush, changing them periodically, etc..

I was told once that someone had an active x plug in that would hide code. I went to his site, and not having the active X control, had no problems emailing his code back to him.

acoder · #12 February 7th, 2008, 10:17 AM

Quote:

Originally Posted by hdanw

I have a situation where I have a lot of processor intensive code, that Can be run on the client side, but I don't want to expose the algo.

Is it just the algorithm that you want to hide?

Quote:

Originally Posted by hdanw

Would you recomend a downloadable executable that also processes the web content?

If so, aren't we talking about a Hibred Web Browser? Why don't we build one?

It would be real simple to include a client key in the browser information, that could be used to encrypt "locked" code in php, or asp.net.

The code is then deencrypted on the client and ran while locking the source to prying eyes.

Again its only as safe as keeping the encryption algorithms hush hush, changing them periodically, etc..

There are ways to encrypt, but that would still require the decrypting code to be seen.

Quote:

Originally Posted by hdanw

I was told once that someone had an active x plug in that would hide code. I went to his site, and not having the active X control, had no problems emailing his code back to him.

There are some IE-only 'solutions'.

Kelicula · #13 February 12th, 2008, 09:29 PM

There are also methods for hiding the purpose of the code, from the client through obfuscation.

Example:

Expand|Select|Wrap|Line Numbers

 
var e;function q(){

for(w=0;w<e.length;w++){

var yhtegfr = e.substr(0, 3);

var uhytf= e.substr(yhtegfr, -1);

if(x<23){

setTimeout(window.status=uhytf,2000);

x--;

}else{tegf();x--}

}}

e="abcdefghijklmnop";//qrstuvwxyz";

function tegf(){

document.write("hello\n");

}

var x=100;q();

// Crazy head ache of a script...

All it does is write hello to the screen 16 times..

acoder · #14 February 13th, 2008, 07:49 AM

Quote:

Originally Posted by Kelicula

There are also methods for hiding the purpose of the code, from the client through obfuscation.

You can do better than that ;) But, I take your point. However, unless you have something which converts nice, clean code into ugly, obfuscated code, you're the one that's going to suffer if you need to change anything.

Kelicula · #15 February 13th, 2008, 04:11 PM

Quote:

Originally Posted by acoder

You can do better than that ;) But, I take your point. However, unless you have something which converts nice, clean code into ugly, obfuscated code, you're the one that's going to suffer if you need to change anything.

That is true.

Yeah I just through that together real quick, but you got the idea.

peterlord · #16 February 17th, 2008, 07:24 PM

Anybody think this obfuscator could be reliable? http://www.stunnix.com/prod/jo/javascript-obfuscator-overview.shtml

I haven't needed nor used an obfuscator before. My client's requirement is for my javascript to be 100% safe. Is server-side coding the only 100% safe method for preventing code viewing in browsers?

Kelicula · #17 February 17th, 2008, 10:49 PM

Quote:

Originally Posted by peterlord

Anybody think this obfuscator could be reliable? http://www.stunnix.com/prod/jo/javascript-obfuscator-overview.shtml

I haven't needed nor used an obfuscator before. My client's requirement is for my javascript to be 100% safe. Is server-side coding the only 100% safe method for preventing code viewing in browsers?

Yes. The only 99% safe way is server-side.
I say 99% because even then, it's hackable.

But no matter how obfuscated it gets theres always someone that can crack it.

Of, course that's just my opinion.

acoder · #18 February 18th, 2008, 08:28 AM

Quote:

Originally Posted by Kelicula

Yes. The only 99% safe way is server-side.
I say 99% because even then, it's hackable.

But no matter how obfuscated it gets theres always someone that can crack it.

Of, course that's just my opinion.

My opinion too and of many others more knowledgeable than us ;)

acoder · #19 February 18th, 2008, 08:32 AM

Quote:

Originally Posted by peterlord

I haven't needed nor used an obfuscator before. My client's requirement is for my javascript to be 100% safe.

When you say 100% safe, do you mean that it's safe from prying eyes? Why does it need to be hidden? See some of the comments earlier (if you haven't already).

hsriat · #20 February 22nd, 2008, 07:50 AM

IE supports something called Jscript-encode. But its major drawback is that it won't run on any browser other than IE.

gits · #21 February 22nd, 2008, 04:21 PM

Quote:

Originally Posted by hsriat

IE supports something called Jscript-encode. But its major drawback is that it won't run on any browser other than IE.

not even that ... its reverse engineered too :) look here

kind regards

hsriat · #22 February 22nd, 2008, 04:29 PM

Quote:

Originally Posted by gits

not even that ... its reverse engineered too :) look here

kind regards

Yeah I read that! Poor IE guys! :D

Hide JavaScript code from the client

re: Hide JavaScript code from the client

re: Hide JavaScript code from the client

re: Hide JavaScript code from the client

re: Hide JavaScript code from the client

re: Hide JavaScript code from the client

re: Hide JavaScript code from the client

re: Hide JavaScript code from the client

re: Hide JavaScript code from the client

re: Hide JavaScript code from the client

re: Hide JavaScript code from the client

re: Hide JavaScript code from the client

re: Hide JavaScript code from the client

re: Hide JavaScript code from the client

re: Hide JavaScript code from the client

re: Hide JavaScript code from the client

re: Hide JavaScript code from the client

re: Hide JavaScript code from the client

re: Hide JavaScript code from the client

re: Hide JavaScript code from the client

re: Hide JavaScript code from the client

re: Hide JavaScript code from the client

/bytes/development

/bytes/it

/bytes/about