javascript - Make text difficult to parse by automated means -


i need include small javascript snippet on single-page web-application serves content-protection mechanism subsequent ajax-requests:

javascript

<script>     dr.token.id = random_hash </script> 

this protection has flaw: trivially easy machine extract random_hash part of snippet.

to counter this, use simple server-side script add noise snippet, resulting in varying versions of:

document.write("<scr" + "ipt>dr.toke" + "n.id" + " = " + "\"rando" + " + "m_hash\"</" + "script>" document.write("<s" + "cript>dr.t" + "oken.id" + " = " + "\"ran" + " + "dom_hash\"</scri" + "pt>" ... 

however, more complex regex extract random_hash once again.

i'd prefer not use on-the-fly obfuscator, since performance vital. there reliable solutions make difficult machines extract random hash without significant effort on part?

i'm not concerned machines capable of running javascript code achieve extraction, intend deter average joe writing trivial script harvest application's data.

you must recognize nothing on web page secure snooping. best can hope defeat naive hacking techniques. extent, "add noise" approach sound. yes, can hacked "slightly more complex regex", how attacker know which regex might be? take analyzing source, mind qualifies significant effort.

if give added (but false) measure of security, can base-64 encode (off line) arguments document.write() , decode them on fly. don't think have performance impact. (calling document.write() would, think, swamp decoding overhead.) insulate sensitive info human casually reading page source. so, instance, base-64 encoding of

<script>dr.token.id = random_hash</script> 

is

phnjcmlwdd5eui50b2tlbi5pzca9ifjbtkrptv9iqvnipc9zy3jpchq+ 

so document contain:

document.write(frombase64('phnjcmlwdd5eui50b2tlbi5pzca9ifjbtkrptv9iqvnipc9zy3jpchq+')); 

where frombase64() base-64 decoder.


Comments

Popular posts from this blog

c++ - Difference between pre and post decrement in recursive function argument -

php - Nothing but 'run(); ' when browsing to my local project, how do I fix this? -

php - How can I echo out this array? -