What is JavaScript Obfuscation and why is it a threat?
Solution 1:
Obfuscation is a means of "obscuring" the real meaning and intent of your javascript code. Some sites use it as an obstacle to people who want to copy/borrow their code. Other sites use it as a means to hide the actual intention of the code.
Some forms of obscuration:
- Automatically renaming variables to short meaningless names to make the code less readable and harder to understand.
- Removing all extra whitespace and line breaks so the code is one giant long line.
- Making parts of the code self-generating so that a first pass of the code runs to create the actual code that then runs to carry out the intended operation.
- Uses character codes and string manipulation combined with eval rather than normal javascript code to construct the actual code that would run.
Obscuration is not by itself evil, but it can be used to try to hide an evil intent and that is probably what AVG was objecting to. It detected so much obscuration that it couldn't tell if the javascript was attempting to do something it was trying to prevent. As such, it declared the code as unsafe by default since it can't verify that the code seems OK.
Solution 2:
Obfuscation refers to hiding the intended meaning of something.
In this case, a clearly readable JavaScript snippet, such as
window.onload = function() { alert("Hello " + username) };
can be substituted by
var _0xc5b2=["\x6F\x6E\x6C\x6F\x61\x64",
"\x48\x65\x6C\x6C\x6F\x20"];window[_0xc5b2[0]]=
function (){alert(_0xc5b2[1]+username);} ;
or even
eval(unescape("var%20_0xc5b2%3D%5B%22onload%22%2C%22Hello%20%22%5D%3Bwindow"+
"%5B_0xc5b2%5B0%5D%5D%3Dfunction%20%28%29%7Balert%28_0xc5b2%5B1%5D+username"+
"%29%3B%7D%20%3B"));
All three code snippets do the exact same thing, but only reading the first will allow you to understand its intentions easily.
Apparently, AVG attempts to understand the purpose of JavaScript code before allowing its execution. When the code is obfuscated, AVG will probably fail. Hence the warning.
That being said, some websites obfuscate their JavaScript not because of evil intentions, but to make it difficult to steal their work. Obfuscation is usually useless if used for this purpose, but the point is that obfuscation doesn't necessarily mean bad intentions.