homepage Welcome to WebmasterWorld Guest from 54.237.99.131
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / JavaScript and AJAX
Forum Library, Charter, Moderator: open

JavaScript and AJAX Forum

    
hiding javascript
rhodopsin

10+ Year Member



 
Msg#: 2713 posted 12:25 pm on Nov 11, 2004 (gmt 0)

I really want to hide my javascript code such that no one can read it. I know that I should implement my code in server side language, such as PHP, if I really want to hide code. But for various reasons (primarily that my code checks the time zone of the visitor - this can only be done in javascript (or other client side language) from what I have researched. Please correct me if I am wrong) I want to use javascript.

I have read quite a bit about hiding HTML source code and lots of people say that this is a bit of a red herring. Gold at the end of the rainbow kind of thing - it is not possible. But how about hiding the code of a javascript.js file. Is this possbile? One method that seems pretty good to me can be found at

[devpapers.com...]

I would like you guys to look at this and see what weaknesses may be associated with it. Is there anyway someone could get around it to see my javascript code? Thanks guys.

In case the moderator pulls the url - I have cut and paste the webpage here:

Don't want your JavaScript copied? Here's a very simple script that will hide it!

On the page where the JavaScript is placed, add:

<?
session_start();
if(!session_is_registered('allow_script'))
{
session_register('allow_script');
$allow_script = true;
}
?>
<html>
<head>
<script language="JavaScript" src="script.php"></script>
</head>
<body>
Body goes here...
</body>
</html>

And now create a new file called script.php and place your JavaScript there:

<?
session_start();
if($allow_script)
{
header("Content-type: text/javascript");
?>

alert("Woohoo! My JavaScript Works!");

<?
$allow_script = false;
}
?>

As you can see it uses a session. When you open the page where the JavaScript is placed it creates a session which allows the JavaScript to be viewed. But if you open script.php by its self, no session is created!

Try opening script.php in your browser window and you'll notice you can't view the code!

 

Bernard Marx

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 2713 posted 12:31 pm on Nov 11, 2004 (gmt 0)

Temporary internet files?

adni18

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 2713 posted 12:56 pm on Nov 11, 2004 (gmt 0)

Obviously, there is some way around it, because the browser has to read it.

rhodopsin

10+ Year Member



 
Msg#: 2713 posted 1:07 pm on Nov 11, 2004 (gmt 0)

RE: "temporary internet files"

Can u elaborate please mate. Don't quite understand.

"Obviously, there is some way around it, because the browser has to read it."

I understand that there must be some way around. But would be good if peeps could take through ways to get around it. Such that I could even act to take further steps to block off these ways around.

I understand this is not a final solution - more one of slowing down curious visitors (and hoping they give up) than stopping.

rhodopsin

10+ Year Member



 
Msg#: 2713 posted 1:17 pm on Nov 11, 2004 (gmt 0)

If people would like to perhaps rate the level of difficulty in getting around this - that would be great.

What I really hope for this is that the people on here must be pretty good on computers - and if no one here can figure a way to get around this to see the javascript source code - then i am onto a winner - because the average visitor really won;t have a clue how to do it then.

I know that it must theoretically be possible to get around - but how many people would know how to get around. That is the Q.

Alternative Future

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 2713 posted 1:26 pm on Nov 11, 2004 (gmt 0)

As Bernard Marx said Temp Internet Files will be used to store the JavaScript on the client’s machine, when executing client-side script it has to be stored somewhere on their PC. How hard is this, along with, perhaps some other ways to find out depends on the person that might want to take your code. Another way to put it is, if someone doesn't know how to get their hands on your code - would they want it? What sort of people hunt down code - web developers if they see something that looks nifty along with others - I am sure these people know how to source the code that has been executed on their PC.

HTH,

-George

rhodopsin

10+ Year Member



 
Msg#: 2713 posted 2:04 pm on Nov 11, 2004 (gmt 0)

Temp Internet files

Is there any way around this? I am not very hopeful - but perhaps worth asking.

Or are Temp Internet files the be all and end all - this is the end of the line.

By the way - thanks for all these posts.

Alternative Future

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 2713 posted 2:17 pm on Nov 11, 2004 (gmt 0)

Temp Internet Files directory is located on the clients PC so there is nothing much you can do about this.

joke:
You could state on your website that they clear their temp folder after each visit to your site - but something tells me this wouldn't work ;-)

To be honest rhodopsin I am quite sure there is nothing much you can do except accept it.

[added:[/b] You could scramble your code which makes it a little harder to read and recreate - but again there are tools out there that can make your scrambled code readable again :( just search for JavaScript Scrambler

-George

Bernard Marx

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 2713 posted 2:31 pm on Nov 11, 2004 (gmt 0)

Sorry. "Temporary internet files" is a bit on the terse side. Possibly just a reaction to seeing "hide your script" ideas popping up regularly.

The PHP session one is a new one for me.

I added the "?" because I'm assuming that the script file (.php notwithstanding) is cached - but I haven't actually tried the approach myself.

This could probably be worked around by instructing the server to send a "no cache" header. (this might be ignored).

Suffice to say that there is no 100% way of protecting anything, but there are ways of making it a little tricky. The question is then "who are you hiding it from?". If your script is so whoopee-doo that it needs to be "protected". Then anyone who was put off by the limited defenses available would probably be lacking in the skills needed to make use of the script anyway.

Practicalities aside, it's an interesting contribution.

rhodopsin

10+ Year Member



 
Msg#: 2713 posted 3:32 pm on Nov 12, 2004 (gmt 0)

This could probably be worked around by instructing the server to send a "no cache" header. (this might be ignored).

Currently looking at setting up no cache headers.

Another thing that i am doing to test how good this method is of hiding code - look at this url. Quite interesting. Seeing how it holds up to these tests:

[vortex-webdesign.com...]

rhodopsin

10+ Year Member



 
Msg#: 2713 posted 4:58 pm on Nov 12, 2004 (gmt 0)

I really am impressed with this method of hiding javascript. I have tried a number of methods to get hold of it now (including those methods in the url in my last post). Still no joy in getting hold of the code. Obviously it cannot be invincible - there must be some way. But I cannot think of one (although i am very inexperienced).

Can anyone think of a way to beat this method of hiding? I am going to use

<?php
header("Cache-Control: no-store, no-cache");
?>

to beat the temporary internet file factor - this code stops the browser from caching the php page.

kaled

WebmasterWorld Senior Member kaled us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 2713 posted 7:12 pm on Nov 12, 2004 (gmt 0)

Anything a browser can load can be viewed.

If you can view the source code of the html you can locate the url that supplies the javascript.

If you can locate the url, just type it into a browser - the browser will display it or prompt you to save it as a file.

Messing around disabling right-clicks, etc. is just a waste of time - just switch off javascript or go to the browser's view menu.

If someone wants your code they'll get it - end of story.

Kaled.

JAB Creations

WebmasterWorld Senior Member jab_creations us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 2713 posted 8:40 pm on Nov 12, 2004 (gmt 0)

Anything that is clientside can not be hide from prying eyes. The best you could try is converting the charecters in to hex.

Bernard Marx

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 2713 posted 10:57 pm on Nov 12, 2004 (gmt 0)

Can anyone think of a way to beat this method of hiding?

Sorry, I haven't got round to testing, rhodopsin. I suspect that saving the file as .mht ("web archive for email") in IE may include the script file as one of its parts.

rhodopsin

10+ Year Member



 
Msg#: 2713 posted 4:35 pm on Nov 13, 2004 (gmt 0)

U guys may be interested to check out another one of my threads on this board:

[webmasterworld.com...]

It starts off being related to hiding PHP - but soon moves to hiding javascript. Scroll down the thread and you will see what i mean.

About the hex business - that seems very interesting. Would be really greatful if you could point me to more info on this.

Bernard Marx

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 2713 posted 9:55 pm on Nov 13, 2004 (gmt 0)

I don't understand the hex conversion idea. If this works, the only thing the 'theif' needs to do is to run it through a simple function to convert it all back again.

netsurf

10+ Year Member



 
Msg#: 2713 posted 2:11 pm on Nov 15, 2004 (gmt 0)

Hi all guys out there..

If you would like to hide your javascript source code there could be a way. I guess u can use an HTML or source code encryptor software.

This would also encrypt the html content. Or else you can call the code from a .js file and then encrypt only the .js file.

I hoped this help you.

jbot

10+ Year Member



 
Msg#: 2713 posted 11:02 am on Nov 25, 2004 (gmt 0)

there is no way to hide JS from the user. you guys are kidding yourselves if you think you can do that. obfuscation can easily be unobfuscated.

rhodopsin

10+ Year Member



 
Msg#: 2713 posted 1:17 pm on Nov 26, 2004 (gmt 0)

thought u guys might be interested in this:

[siteexperts.com...]

the guy set a challange to crack his code. It took 8 days for someone to do it. Pretty good going. Of course - it was ultimately cracked. Uncrackable is not possible - but it is nice to make them work hard for it.

Haven't checked this out yet. Will write more when looked at it.

Bernard Marx

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 2713 posted 2:46 pm on Nov 26, 2004 (gmt 0)

Hiding code is a very long running in-joke around that neck of the woods. Just mention the "IT".

rhodopsin

10+ Year Member



 
Msg#: 2713 posted 3:24 pm on Nov 26, 2004 (gmt 0)

bernard - i dont quite understand what u mean. Could this website be some kind of hoax? Is that what u mean? Thanks mate.

mell

10+ Year Member



 
Msg#: 2713 posted 1:28 pm on Dec 1, 2004 (gmt 0)

1. Deactivate javascript
2. Load the page (which won't load your scriptfiles)
3. Type the URL to the script and hit Enter

Bernard Marx

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 2713 posted 2:38 pm on Dec 1, 2004 (gmt 0)

No. The site isn't a hoax. It holds possibly the longest running thread that appears to be about hiding script.

Some of the hiding mechanisms in the challenge are just dead ends for people who think they've made it when they, for instance, unscramble the encoded script to find they've been tricked into wasting their time.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / JavaScript and AJAX
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved