How to completely destroy a script and make it disappear forever.

[Jorge]

Oh well, that is enough for today. I talk too much.

Good luck!

Regards,
Erwin Moller

Erwin, thanks for sharing that story

I know the network traffic can be sniffed. I know that even with ssl
no single line of JS can be hidden from a clients' eyes. I know they
can single-step through the code and see what it's doing or copy-paste
it for inspection. But then there's code obfuscation. See google app's
scripts gazpacho and you'll know what I mean. But only a small % of
the small % of people that might normally attempt to crack my app's
non obfuscated login attempt, will consider that the added effort is
worth it if the code is obfuscated. So, again, even though I know what
you all mean, I still think that it's not a mistake to think that
obfuscation counts as another barrier in their way...

@Grant:

ADSL clients with dynamically assigned IPs might be blocked by the
firewall if they inherit an attacker's IP, isn't it ?
And of course they will if they share the attacker's IP (when both are
coming from behind the same NAT router), right ?
Do you handle that case ?

TFYT.
Regards,

 

[Jorge]

Then add a delay after a failed login attempt before you send a
response. Force people to use better passwords. Keep track of how many
login attempts are made from the same IP-Address in a specified time
frame, and lock out those who exceed the limit. Brute forcing takes a
while, and with these three measures (all on the server side!) you can
make it very hard.

I've setup such a delay, but when an IP's activity definitely looks
nasty (too many failed attempts), a 404 response is sent asap -not
delayed- and the connection is closed asap in an attempt to free the
socket for somebody else's use. Then a countdown timer is setup and
that IP will keep receiving 404 responses for any request it makes
until after the timer expires.

 

[slebetman]

But that solves another different problem.


Or the wannabe-a-hacker child of an employee, or ..., you never know.

Child of employee maybe, but not the average script kiddie or wannabe
hacker much less a real hacker. Even a novice, if determined enough,
would at least try wget to fetch the script file. Firebug is just a
recent tool in the hacker toolbox that makes it easier to explore a
site. Remember, with javascript you can't hide the source. Even if you
manage to hide stuff from Firebug (which most developers would
consider a bug on Firebug's side and soon request Firebug developers
to patch) there are still lots of well known tools that lets me get
your script. Like httpwatch for example.

 

[Jorge]

Child of employee maybe, but not the average script kiddie or wannabe
hacker much less a real hacker. Even a novice, if determined enough,
would at least try wget to fetch the script file. Firebug is just a
recent tool in the hacker toolbox that makes it easier to explore a
site. Remember, with javascript you can't hide the source. Even if you
manage to hide stuff from Firebug (which most developers would
consider a bug on Firebug's side and soon request Firebug developers
to patch) there are still lots of well known tools that lets me get
your script. Like httpwatch for example.

To fight sniffing and curl lookalikes there's SSL/https, if not, the
innerHTML of the script can be received scrambled in an XHR :

document.getElementsByTagName('head')
[0].appendChild(document.createElement('script')).innerHTML=
unscramble(XHR.responseText);

 

[Jorge]

You keep telling me the obvious, and it isn't the point. Obfuscated
code is harder to understand and therefore to crack than pretty
printed and commented non-obfuscated source code. Sniffed obfuscated
data is meaningless unless you know how to unscramble it. That
additional effort on the part of an attacker is what I'm after, no
more, no less.

 

[slebetman]

To fight sniffing and curl lookalikes there's SSL/https,

Try httpwatch for yourself. It's a firefox/ie extension. SSL is not a
problem with httpwatch because it recieves its data AFTER it has been
decrypted.

if not, the
innerHTML of the script can be received scrambled in an XHR :

document.getElementsByTagName('head')
[0].appendChild(document.createElement('script')).innerHTML=
unscramble(XHR.responseText);

No problem here because you will be providing me with your unscramble
function. All I need to do is copy/paste your unscramble function into
firebug and then copy/paste the whole XHR response into firebug as the
parameter to your unscramble function.

The only way out of this is to not use javascript -- use java or flash
instead to do your processing. Even then, there are decompilers out
there that will convert it back to source (though not the same source
but an equivalent source that does the same job).

 

[Jorge]

'and curl lookalikes' didn't belong there ^^^^ :

"To fight sniffing there's SSL/https, if not, for curl lookalikes the
innerHTML of the script can be received scrambled in an XHR : "

Ok ?

Try httpwatch for yourself. It's a firefox/ie extension. SSL is not a
problem with httpwatch because it recieves its data AFTER it has been
decrypted.

There's no need to install nothing. I can be seen it in firebug and in
Safari's web inspector.

 

[Jorge]

No problem here because you will be providing me with your unscramble
function. All I need to do is copy/paste your unscramble function into
firebug and then copy/paste the whole XHR response into firebug as the
parameter to your unscramble function.

Even worse: the only tool you need to do the attack is the browser: no
curl no wget no proxy no nothing else: just inject the brute force
attack() JS code into the page... then comfortably type
javascript:attack(); into the url bar and hit enter.

And as it's so easy you'd better obfuscate the things at least a
little bit, or better yet as much as possible.

 

[David Mark]

I'm obfuscating the entry code. That script isn't in the .html file.
It gets loaded, quickly does its things, and inmediatly after that I'd
like it to disappear from sight...

Pfft. Why? Is it *that* good?

Forget it. You can't hide anything that comes from a Web server.