javascript - Make text difficult to parse by automated means -
i need include small javascript snippet on single-page web-application serves content-protection mechanism subsequent ajax-requests:
javascript
<script> dr.token.id = random_hash </script>
this protection has flaw: trivially easy machine extract random_hash
part of snippet.
to counter this, use simple server-side script add noise snippet, resulting in varying versions of:
document.write("<scr" + "ipt>dr.toke" + "n.id" + " = " + "\"rando" + " + "m_hash\"</" + "script>" document.write("<s" + "cript>dr.t" + "oken.id" + " = " + "\"ran" + " + "dom_hash\"</scri" + "pt>" ...
however, more complex regex extract random_hash
once again.
i'd prefer not use on-the-fly obfuscator, since performance vital. there reliable solutions make difficult machines extract random hash without significant effort on part?
i'm not concerned machines capable of running javascript code achieve extraction, intend deter average joe writing trivial script harvest application's data.
you must recognize nothing on web page secure snooping. best can hope defeat naive hacking techniques. extent, "add noise" approach sound. yes, can hacked "slightly more complex regex", how attacker know which regex might be? take analyzing source, mind qualifies significant effort.
if give added (but false) measure of security, can base-64 encode (off line) arguments document.write()
, decode them on fly. don't think have performance impact. (calling document.write()
would, think, swamp decoding overhead.) insulate sensitive info human casually reading page source. so, instance, base-64 encoding of
<script>dr.token.id = random_hash</script>
is
phnjcmlwdd5eui50b2tlbi5pzca9ifjbtkrptv9iqvnipc9zy3jpchq+
so document contain:
document.write(frombase64('phnjcmlwdd5eui50b2tlbi5pzca9ifjbtkrptv9iqvnipc9zy3jpchq+'));
where frombase64()
base-64 decoder.
Comments
Post a Comment