If at first you don't succeed, call it version 1.0

Contact Me

Sarvesh Kushwaha
Email : sarveshkushwaha@outlook.com

Total Pageviews

Powered by Blogger.

Wednesday 15 October 2014

Hack proof your Javascript using javascript Obfuscation in ASP.NET applications


Introduction:

This article is the Part-5 Article of my series Hack Proof your asp.net and asp.net mvc applications.
In this article i will describe how to obfuscate your JavaScript code (Your written business logic in JavaScript or those  JavaScript libraries you don't want to expose to others) in asp.net application with visual studio.

Background :

You can read previous article of this series from below links :

    1. Secure your ASP.NET applications from SQL Injection
    2. Secure your ASP.NET applications from XSS Attack
    3. Secure your ASP.NET applications from CSRF Attack
    4. Secure your ASP.NET applications from Sensitive Data Exposure and Information Leakage

    Obfuscation :

    Obfuscation is the process which involves the process to convert your code to a equivalent or specific format such that it becomes difficult to understand and difficult to reverse engineering.

    Confustion b/w  Minification of JavaScript and Obfuscation of JavaScript files:

    Minification is the process to remove the unnecessary spaces from a file where as obfuscation is the process to make code difficult to understand.

    Minification :






















    Obfuscation :


























    Why we need Obfuscation:

    Code obfuscation scrambles the symbols, code of a program, rendering it diificult to understand while at the same time preserving the program's functionality.
    we can do obfuscation of .NET assemblies and JAVA Code and Javascripts.In this article i am just covering Javascript and obfuscation is not limited to source code , you can useit for your data too and in real life :P :P :D .

    Benefits of Obfuscation : 

    1.     Protection of intellectual property(Your own written code)
    2.     Reduced security threats(By Pervention of the code exposure in a descriptive manner)
    3.     Reduced size of the file(Minification and shorten the variables name)
    4.     No network delays

    How to apply JavaScript Obfuscation in ASP.NET Application:

    Prerequisite :
    1. Visual Studio 2010 , 2012 , 2013  
    2. Asp.Net framework 4 and 4.5 and above (whenever will come)
    3. Obviously a ASP.NET and ASP.NET MVC application
    in my case i am using VS 2012 and asp.net framework 4.5.

    Step 1: Install Bundle Transformer nuget package 
    Using package manager console install this Bundle Transformer.
    Go To Tools > Library package manager > Package manager console

    Install-Package BundleTransformer.UglifyJs

    BundleTransformer contains many minifiers , but we are here going to cover only Uglify to achieve Obfuscation.For more details about BundleTrasformer Minifiers , Translators and Postprocessors visit https://bundletransformer.codeplex.com/.
















    After Installation it will pop up a readme.txt which will describe further details to proceed.

    Step 2 : Install-Package JavaScriptEngineSwitcher.Msie
    using the same package manager console install the JavaScriptEngineSwitcher.Msie.As a JS-engine BundleTransformer use the JavaScript Engine Switcher library . For correct working of this module is recommended to install one of the following NuGet packages: JavaScriptEngineSwitcher.Msie or JavaScriptEngineSwitcher.V8.


    Install-Package JavaScriptEngineSwitcher.Msie
    
    












    Step 3 : Do the Web.Config Setting for uglify
    When you installed the bundletransformer its automatically have created a node <bundleTransformer> .Under this node add the following configuration code for uglify.


     <uglify>
          <js screwIe8="false" severity="0">
            <parsing strict="false" />
            <compression compress="true" sequences="true" propertiesDotNotation="true"
              deadCode="true" dropDebugger="true" unsafe="false"
              conditionals="true" comparisons="true" evaluate="true"
              booleans="true" loops="true" unused="true"
              hoistFunctions="true" keepFunctionArgs="false" hoistVars="false"
              ifReturn="true" joinVars="true" cascade="true"
              globalDefinitions="" pureGetters="false" pureFunctions=""
              dropConsole="false" angular="false" />
            <mangling mangle="true" except="" eval="false"
              sort="false" topLevel="false" />
            <codeGeneration beautify="false" indentLevel="4" indentStart="0"
              quoteKeys="false" spaceColon="true" asciiOnly="false"
              inlineScript="false" width="80" maxLineLength="32000"
              bracketize="false" semicolons="true"
              comments="false" preserveLine="false"
              unescapeRegexps="false" />
          </js>
          <jsEngine name="MsieJsEngine" />
        </uglify>



















    If you will see i have added name="MsieJsEngine" under <uglify> node of <JsEngine> .Yo can use JavaScriptEngineSwitcher.V8 also.

    Step 4 - Modify the BundleConfig
    When you create a new web form application or MVC application , asp.net framework 4.5 templates automatically create a folder App_Start for code that runs on application startup.

    Folder App_Start > BundleConfig

    1. Add following namespaces
    using BundleTransformer.Core.Builders;
    using BundleTransformer.Core.Orderers;
    using BundleTransformer.Core.Resolvers;
    using BundleTransformer.Core.Transformers;

    2. Initialize Script and Style transformer , nullbuilder and nullorder class

    //This setting is used when if you have specfied the path Using System.web.Optimization.bundle.Cdnpath then it will try to fetch data from there first
                bundles.UseCdn = true;
                //NullBuilder class is responsible for prevention of early applying of the item transformations and combining of code.
                var nullBuilder = new NullBuilder();
                //StyleTransformer and ScriptTransformer classes produce processing of stylesheets and scripts.
                var styleTransformer = new StyleTransformer();
    
                var scriptTransformer = new ScriptTransformer();
                //NullOrderer class disables the built-in sorting mechanism and save assets sorted in the order they are declared.
                var nullOrderer = new NullOrderer();
    

    3. create your own ScriptBundle to which you want to Obfuscate

    //create your own scriptbundle 
    
                var scriptbundleToObfuscate = new Bundle("~/bundles/WebFormsJs");
                scriptbundleToObfuscate.Include("~/Scripts/WebForms/WebForms.js",
                      "~/Scripts/WebForms/WebUIValidation.js",
                      "~/Scripts/WebForms/MenuStandards.js",
                      "~/Scripts/WebForms/Focus.js",
                      "~/Scripts/WebForms/GridView.js",
                      "~/Scripts/WebForms/DetailsView.js",
                      "~/Scripts/WebForms/TreeView.js",
                      "~/Scripts/WebForms/WebParts.js");
                scriptbundleToObfuscate.Builder = nullBuilder;
                scriptbundleToObfuscate.Transforms.Add(scriptTransformer);
                scriptbundleToObfuscate.Orderer = nullOrderer;
                bundles.Add(scriptbundleToObfuscate);

    For Demo purpose i am using the WebForms.js and the bundle for the same which is created by VisualStudio Automatically.

     4. Enableoptimization True to see the result.
    BundleTable.EnableOptimizations = true;
    

    Make it false at the time of development so it will not bundle , minify and obfuscate the JS files.Never forget to make it True before publishing the application.

    Final Step : .Include the bundle in your application and See the results: 

    Asp.Net Web forms :

    <%: Scripts.Render("~/bundles/WebFormsJs") %>

    Asp.Net MVC :

     @Scripts.Render("~/bundles/WebFormsJs")

    Before Obfuscation :












    After Obfuscation :













    yay :) :) ...


    Thanks for reading this article.For code Verification and if you are facing issue in Configuration you can download and see the code from here : https://github.com/sarveshkushwaha/JavaScriptObfuscationInAspNET


    References and further readings: 

    Another Search Terms for the same article :

    • JavaScript Obfuscation in ASP.NET and ASP.NET MVC application
    • How to use BundleTransformer.UglifyJs with Visual Studio Nuget
    • Hack proof your Javascript using javascript Obfuscation in ASP.NET applications


    16 comments:

    1. Thanks you about the best artical

      ReplyDelete
    2. but while publishing the project we can able to see scripts
      reply to this as soon as possible to chiranjeevi183@gmail.com

      ReplyDelete
    3. Great explanations using sample reference links with screenshots to hack the proof in asp .net applications.thanks for sharing these wonderful information.

      Java Training in Chennai

      ReplyDelete
    4. Can I implement this in visual studio Express 2015 for the Web? If No than Is there any other way to implement?

      ReplyDelete
    5. This is an awesome post.Really very informative and creative contents. These concept is a good way to enhance the knowledge.I like it and help me to development very well.Thank you for this brief explanation and very nice information.Well, got a good knowledge.

      Java training in Bangalore | Java training in Kalyan nagar

      Java training in Bangalore | Java training in Kalyan nagar

      Java training in Bangalore | Java training in Jaya nagar

      ReplyDelete
    6. This is an awesome post.Really very informative and creative contents. These concept is a good way to enhance the knowledge.I like it and help me to development very well.Thank you for this brief explanation and very nice information.Well, got a good knowledge.
      Data Science training in rajaji nagar | Data Science Training in Bangalore
      Data Science with Python training in chennai
      Data Science training in electronic city
      Data Science training in USA
      Data science training in pune

      ReplyDelete

    7. Thank you for such a sweet tutorial - all this time later, I've found it and love the end result. I appreciate the time you spent sharing your skills.
      Best Ice Fishing Gloves Best Ice Fishing Gloves Best Ice Fishing Gloves


      ReplyDelete
    8. i done all but my js is bundling but not Obfuscating or not minifying

      ReplyDelete
    9. Very interesting,good job and thanks for sharing such a good blog.your article is so convincing that I never stop myself to say something about it.You’re doing a great job.Keep it up. AWS Training

      ReplyDelete
    10. This comment has been removed by the author.

      ReplyDelete
    11. He attack hope create together pick trial. Heart election or challenge. Raise course western recent probably song.breaking news in india today

      ReplyDelete