views:

77

answers:

2

So I've been working recently on a script to obfuscate client-side code for protecting intellectual property without interfering with the appearance of interactivity of the resulting page. The process is as follows:

  1. HTTP request comes in, .htaccess redirects (.*) to parse_request.php
  2. parse_request.php creates a "phpURLParser" class whose class variables are essentially copies of the $_SERVER variables
  3. phpURLParser looks at the requested path, and sometimes the host, referer, or other server-side information to determine how to react. There are several possible responses

a. The requested object was a .js or .css file. Pass the file to the YUI Compressor and send the output

b. The requested object is an image or application. Pass the file with no change

c. The requested object contains HTML. Replace every ASCII character with its 2-digit hexadecimal equivalent and send the following javascript:

<script type="text/javascript">
var x="~lots of hex~";
var y="";
for(i=0; i<x.length; i+=2){
    y += unescape('%'+x.substr(i,2));
}
document.write(y);
</script>

So the website is replaced by a lot of hex and a small javascript to return the hex to its original form. I have an example of this setup at examples.chikachu.com/colorbox/example1 (I didn't code ColorBox, it's a free jQuery tool that I chose to use since it allowed me to test several different javascript features and make sure they all worked)

Now for the problem:

As it turns out, this works 99% of the time. But AJAX makes it angry. Clicking one of the AJAX examples (under "Other Content Types") will look like it redirects you to a new page. Looking in the address bar or viewing the page source will prove that you're still on the same page, however. Using the Inspect Element tool in Chrome (or Firebug in Firefox) will reveal that the contents of the webpage were entirely replaced by the contents of the AJAX request.

If I modify parse_request.php slightly to allow the file requested by the AJAX to be passed through unharmed, everything works. No problem. So for some reason my script which replaces the string of hex with its meaningful HTML counterpart is overwriting the entire website instead of nicely inserting itself within the confines of a <div> object.

Essentially here's the expected non-obfuscated HTML:

<html>
<head>
    ...
</head>
<body>
    <div id="colorbox">
        <INSERT AJAX HERE>
    </div>
    ...
</body>
</html>

With only the AJAX obfuscated, I expect the following:

<html>
<head>
    ...
</head>
<body>
    <div id="colorbox">
        <script type="text/javascript">
        var x="asdfasdfasdfasdf";
        var y="";
        for(i=0; i<x.length; i+=2){
            y += unescape('%'+x.substr(i,2));
        }
        document.write(y);
        </script>
    </div>
    ...
</body>
</html>

I expect that the document.write() line here will write y at the location of the javascript (within the <div>). If I'm mistaken and that's not how document.write() works, I still expect it to write y at the end of the document. Instead, the entire document is replaced by y. Why is this, and what's my solution?

+1  A: 

Answer to your last question: Calling

document.write('my_precious_html_code');

will append or override text on page depending when it was called (before or after onLoad event). You shouldn't use it any script. Read more about it here: http://javascript.crockford.com/script.html

General answer: Obfuscating HTML code doesn't make any sense. Just like protecting images by disabling right mouse button in late '90. It took me less then 3 sec to "crack" your obfuscated code and get beautifully formatted HTML. Also your site is rendered in quirks mode which is probably something you don't want.

cps7
I figured it was easy enough to crack. Heck- just using the Inspect Element feature in Chrome cracks it for you (Chrome will output the current HTML, post javascript modifications). I just figured it would be annoying enough to deter people. Good point, though, that it's like disabling right click. Pretty worthless, I suppose. If nothing else, this has been a fun project to distract me during stats class =)
steven_desu
A: 

Try something like this:

<html> 
<head> 
    ... 
</head> 
<body> 
    <div id="colorbox">
        <div id="MYAJAXCONTENT">
        </div>
        <INSERT AJAX HERE> 
    </div> 
    ... 
</body> 
</html> 

<html> 
<head> 
    ... 
</head> 
<body> 
    <div id="colorbox"> 
        <script type="text/javascript"> 
        var x="asdfasdfasdfasdf"; 
        var y=""; 
        for(i=0; i<x.length; i+=2){ 
            y += unescape('%'+x.substr(i,2)); 
        } 
        document.getElementById('MYAJAXCONTENT').innerHTML = y; 
        // for the jQuery psychos out there
        // $('#MYAJAXCONTENT').html(y);
        </script> 
    </div> 
    ... 
</body> 
</html> 
Joel Etherton
Only problem with this- the code was meant to unobtrusively obfuscate ANY code. This assumes that I have an element pre-placed in the page. I have been working on a similar solution, however, giving the script itself an id (generated by parse-request.php) then having the script locate itself get getElementById and calling its parentNode.
steven_desu
@steven_desu - you already have an element that has an id. You could easily use javascript to add additional elements to it on the fly and inject your new scripts into that.
Joel Etherton