RE: Here's An Example: WAS [Hiding Javascript Source]
Just wanted to change the subject so you wouldn't think it's another you can't do it message. http://www.becomenew.com/jsGuard/ -Brad -Original Message- From: Brad Roberts [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2003 7:32 AM To: CF-Talk Subject: RE: Hiding Javascript Source See what you guys think... any comments appreciated. http://www.becomenew.com/jsGuard/ -Brad -Original Message- From: Peter Harrison [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2003 3:26 AM To: CF-Talk Subject: RE: Hiding Javascript Source Yes, Brad, I'd like to see your hiding technique please. Of course, we know it's just reversable obfuscation or making it a _little_ more work to find. Also, have you seen this: http://www.jimworld.com/tools/javascript-encrypt/ It obfuscates the JavaScript code, but the trick to decrypting the whole lot is the document.write at the end of the code that is generated. If you can document.write it, you can also output it so you can copy it. Fun fun fun. - Peter -Original Message- From: Kwang Suh [mailto:[EMAIL PROTECTED] Sent: 30 July 2003 06:36 To: CF-Talk Subject: Re: Hiding Javascript Source If it's on my computer, I can get at it. - Original Message - From: Brad Roberts [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Tuesday, July 29, 2003 8:04 PM Subject: SOT: Hiding Javascript Source I think I've found a way to hide Javascript source. Has anyone done this yet? I'll post an example if anyone is interested. -Brad ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Here's An Example: WAS [Hiding Javascript Source]
Just wanted to change the subject so you wouldn't think it's another you can't do it message. http://www.becomenew.com/jsGuard/ If you set your Check for newer versions of stored pages to Never, then you can view it It's stored in cache, so it won't try to re-get the page Nice idea though Although you could always do something incredibly similar just using CGI.HTTP_REFERER rather than putting the UUID on the URL ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Here's An Example: WAS [Hiding Javascript Source]
I downloaded the script with no problem, as follows: 1. Viewed the URL for your jsguard example. 2. Right click in page, choose View Source. 3. Copied the JS file into clipboard, i.e.: myJavascript.cfm?id=1BE8AD56-8DC2-4255-8AB5F51A580DD683 4. Paste clipboard to end of current URL, i.e. http://www.becomenew.com/jsGuard/myJavascript.cfm?id=1BE8AD56-8DC2-4255-8AB5 F51A580DD683 5. Press Enter 6. View source - reveals all source code. What does this one do to hide it? I think I missed the feature by mistake. - Peter -Original Message- From: Brad Roberts [mailto:[EMAIL PROTECTED] Sent: 30 July 2003 12:54 To: CF-Talk Subject: RE: Here's An Example: WAS [Hiding Javascript Source] Just wanted to change the subject so you wouldn't think it's another you can't do it message. http://www.becomenew.com/jsGuard/ -Brad -Original Message- From: Brad Roberts [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2003 7:32 AM To: CF-Talk Subject: RE: Hiding Javascript Source See what you guys think... any comments appreciated. http://www.becomenew.com/jsGuard/ -Brad -Original Message- From: Peter Harrison [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2003 3:26 AM To: CF-Talk Subject: RE: Hiding Javascript Source Yes, Brad, I'd like to see your hiding technique please. Of course, we know it's just reversable obfuscation or making it a _little_ more work to find. Also, have you seen this: http://www.jimworld.com/tools/javascript-encrypt/ It obfuscates the JavaScript code, but the trick to decrypting the whole lot is the document.write at the end of the code that is generated. If you can document.write it, you can also output it so you can copy it. Fun fun fun. - Peter -Original Message- From: Kwang Suh [mailto:[EMAIL PROTECTED] Sent: 30 July 2003 06:36 To: CF-Talk Subject: Re: Hiding Javascript Source If it's on my computer, I can get at it. - Original Message - From: Brad Roberts [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Tuesday, July 29, 2003 8:04 PM Subject: SOT: Hiding Javascript Source I think I've found a way to hide Javascript source. Has anyone done this yet? I'll post an example if anyone is interested. -Brad ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. http://www.cfhosting.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Here's An Example: WAS [Hiding Javascript Source]
Brad Roberts wrote: Just wanted to change the subject so you wouldn't think it's another you can't do it message. http://www.becomenew.com/jsGuard/ Doesn't work. In FireBird, I changed the URL in the address bar to view-source:http://www.becomenew.com/jsGuard/ which tells me the name of the javascript. Then I changed the URL to view-source:http://www.becomenew.com/jsGuard/myJavascript.cfm?id=BDF0DC85-D050-44E1-9DB853D98FB28E81 and I get the source of the javascript file. The mechanism is very easy and spells doom for all your attempts: the source is grabbed from browser cache, not from the server. Jochem ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Here's An Example: WAS [Hiding Javascript Source]
Well... if there's no way of preventing the browser from caching the page, then I guess it's definitely not fool proof. But heck, it sure beats the no right click method! -Brad -Original Message- From: Jochem van Dieten [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2003 8:16 AM To: CF-Talk Subject: Re: Here's An Example: WAS [Hiding Javascript Source] Brad Roberts wrote: Just wanted to change the subject so you wouldn't think it's another you can't do it message. http://www.becomenew.com/jsGuard/ Doesn't work. In FireBird, I changed the URL in the address bar to view-source:http://www.becomenew.com/jsGuard/ which tells me the name of the javascript. Then I changed the URL to view-source:http://www.becomenew.com/jsGuard/myJavascript.cfm?id=B DF0DC85-D050-44E1-9DB853D98FB28E81 and I get the source of the javascript file. The mechanism is very easy and spells doom for all your attempts: the source is grabbed from browser cache, not from the server. Jochem ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Here's An Example: WAS [Hiding Javascript Source]
The problem lies in the browser caching the page... anyway to get around that? You really can't rely on http_referrer... Here's what I'm doing (in a nutshell). Caller page: - cfset server.id = createUUID() script language=Javascritpt src=myJavascript.cfm?id=#id# Javascript page: - cfif compareNoCase(url.id, server.id) OR len(url.id) EQ 0 .. hacker cfelse cfset server.id = /cfif javascript code here... -Brad -Original Message- From: Philip Arnold [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2003 8:09 AM To: CF-Talk Subject: RE: Here's An Example: WAS [Hiding Javascript Source] Just wanted to change the subject so you wouldn't think it's another you can't do it message. http://www.becomenew.com/jsGuard/ If you set your Check for newer versions of stored pages to Never, then you can view it It's stored in cache, so it won't try to re-get the page Nice idea though Although you could always do something incredibly similar just using CGI.HTTP_REFERER rather than putting the UUID on the URL ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Here's An Example: WAS [Hiding Javascript Source]
What does this one do to hide it? I think I missed the feature by mistake. Your browser was cacheing it Set your browser to Never cache pages and it works... Pity that most people won't have their browsers set to Never ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Here's An Example: WAS [Hiding Javascript Source]
Brad Roberts wrote: The problem lies in the browser caching the page... anyway to get around that? You really can't rely on http_referrer... Here's what I'm doing (in a nutshell). Caller page: - cfset server.id = createUUID() script language=Javascritpt src=myJavascript.cfm?id=#id# Javascript page: - cfif compareNoCase(url.id, server.id) OR len(url.id) EQ 0 .. hacker cfelse cfset server.id = /cfif javascript code here... If I wanted to make it more difficult (not impossible) for somebody to get to the source of my javascript I would use a combination of mechanisms. First, on the page referring to the javascript set a cookie, then use a script ... to link to the javascript. On the server, check both the referrer and the presence of the cookie and make sure the javascript is encrypted with the cookie as the key. From the first page, decrypt the javascript and execute it (you can do eval() on a variable that is just a bunch of javascript, right?). Make sure the last command from the decrypted javascript is to delete the cookie. This bypasses the caching problem, because an encrypted version is cached, and you throw the key away as soon as it is decrypted. But with the right tools to track HTTP headers, this is still easy to bypass. Jochem ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Here's An Example: WAS [Hiding Javascript Source]
wow thats a lot of work to hide JS. Brad.. what is in your JS that you want to hide it that bad? - Original Message - From: Jochem van Dieten [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, July 30, 2003 8:41 AM Subject: Re: Here's An Example: WAS [Hiding Javascript Source] Brad Roberts wrote: The problem lies in the browser caching the page... anyway to get around that? You really can't rely on http_referrer... Here's what I'm doing (in a nutshell). Caller page: - cfset server.id = createUUID() script language=Javascritpt src=myJavascript.cfm?id=#id# Javascript page: - cfif compareNoCase(url.id, server.id) OR len(url.id) EQ 0 .. hacker cfelse cfset server.id = /cfif javascript code here... If I wanted to make it more difficult (not impossible) for somebody to get to the source of my javascript I would use a combination of mechanisms. First, on the page referring to the javascript set a cookie, then use a script ... to link to the javascript. On the server, check both the referrer and the presence of the cookie and make sure the javascript is encrypted with the cookie as the key. From the first page, decrypt the javascript and execute it (you can do eval() on a variable that is just a bunch of javascript, right?). Make sure the last command from the decrypted javascript is to delete the cookie. This bypasses the caching problem, because an encrypted version is cached, and you throw the key away as soon as it is decrypted. But with the right tools to track HTTP headers, this is still easy to bypass. Jochem ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Here's An Example: WAS [Hiding Javascript Source]
Michael T. Tangorre wrote: thats a lot of work to hide JS. I think the amount of work really isn't that bad. For instance, if we take XOR encryption (not really very strong) and use Google we quickly find sourcecode in Javascript: http://www.eng.uwaterloo.ca/~ejones/software/xorcrypt12.js I am sure that there is java/C code available as well, and if not there is always the option of rewriting that javascript in cfscript. But even though I don't think it is that much work, if people are serious about getting your scripts, there is no way to stop them. Jochem ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Here's An Example: WAS [Hiding Javascript Source]
Anyone ever consider doing it al server-side - using CFScript and NOCACHE? == Stop spam on your domain, use our gateway! For hosting solutions http://www.clickdoug.com ISP rated: http://www.forta.com/cf/isp/isp.cfm?isp_id=772 == If you are not satisfied with my service, my job isn't done! - Original Message - From: Michael T. Tangorre [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, July 30, 2003 7:43 AM Subject: Re: Here's An Example: WAS [Hiding Javascript Source] | wow | | thats a lot of work to hide JS. | | Brad.. what is in your JS that you want to hide it that bad? | | | | - Original Message - | From: Jochem van Dieten [EMAIL PROTECTED] | To: CF-Talk [EMAIL PROTECTED] | Sent: Wednesday, July 30, 2003 8:41 AM | Subject: Re: Here's An Example: WAS [Hiding Javascript Source] | | | Brad Roberts wrote: | | The problem lies in the browser caching the page... anyway to get around | that? | | You really can't rely on http_referrer... Here's what I'm doing (in a | nutshell). | | Caller page: | - | | cfset server.id = createUUID() | script language=Javascritpt src=myJavascript.cfm?id=#id# | | Javascript page: | - | | cfif compareNoCase(url.id, server.id) OR len(url.id) EQ 0 | .. hacker | cfelse | cfset server.id = | /cfif | | javascript code here... | | If I wanted to make it more difficult (not impossible) for | somebody to get to the source of my javascript I would use a | combination of mechanisms. First, on the page referring to the | javascript set a cookie, then use a script ... to link to the | javascript. | On the server, check both the referrer and the presence of the | cookie and make sure the javascript is encrypted with the cookie | as the key. From the first page, decrypt the javascript and | execute it (you can do eval() on a variable that is just a bunch | of javascript, right?). Make sure the last command from the | decrypted javascript is to delete the cookie. | | This bypasses the caching problem, because an encrypted version | is cached, and you throw the key away as soon as it is decrypted. | But with the right tools to track HTTP headers, this is still | easy to bypass. | | Jochem | | | | | ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. http://www.cfhosting.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Here's An Example: WAS [Hiding Javascript Source]
agreed. - Original Message - From: Jochem van Dieten [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, July 30, 2003 9:02 AM Subject: Re: Here's An Example: WAS [Hiding Javascript Source] Michael T. Tangorre wrote: thats a lot of work to hide JS. I think the amount of work really isn't that bad. For instance, if we take XOR encryption (not really very strong) and use Google we quickly find sourcecode in Javascript: http://www.eng.uwaterloo.ca/~ejones/software/xorcrypt12.js I am sure that there is java/C code available as well, and if not there is always the option of rewriting that javascript in cfscript. But even though I don't think it is that much work, if people are serious about getting your scripts, there is no way to stop them. Jochem ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Here's An Example: WAS [Hiding Javascript Source]
Doug White wrote: Anyone ever consider doing it al server-side - using CFScript and NOCACHE? How do you intent to hide javascript server-side? It has to be sent to the client to be executed. Jochem ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Here's An Example: WAS [Hiding Javascript Source]
You can also open any JS debugger and view the code... -Dan -Original Message- From: Philip Arnold [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2003 8:09 AM To: CF-Talk Subject: RE: Here's An Example: WAS [Hiding Javascript Source] Just wanted to change the subject so you wouldn't think it's another you can't do it message. http://www.becomenew.com/jsGuard/ If you set your Check for newer versions of stored pages to Never, then you can view it It's stored in cache, so it won't try to re-get the page Nice idea though Although you could always do something incredibly similar just using CGI.HTTP_REFERER rather than putting the UUID on the URL ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. http://www.cfhosting.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4