Hide JavaScript code from the client

**peterlord** · Feb 17 '08, 07:24 PM

Anybody think this obfuscator could be reliable? http://www.stunnix.com/prod/jo/javascript-obfuscator-overview.shtml

I haven't needed nor used an obfuscator before. My client's requirement is for my javascript to be 100% safe. Is server-side coding the only 100% safe method for preventing code viewing in browsers?

**Kelicula** · Feb 17 '08, 10:49 PM

Originally posted by peterlord

Anybody think this obfuscator could be reliable? http://www.stunnix.com/prod/jo/javascript-obfuscator-overview.shtml

I haven't needed nor used an obfuscator before. My client's requirement is for my javascript to be 100% safe. Is server-side coding the only 100% safe method for preventing code viewing in browsers?

Yes. The only 99% safe way is server-side.
I say 99% because even then, it's hackable.

But no matter how obfuscated it gets theres always someone that can crack it.

Of, course that's just my opinion.

**acoder** · Feb 18 '08, 08:28 AM

Originally posted by Kelicula

Yes. The only 99% safe way is server-side.
I say 99% because even then, it's hackable.

But no matter how obfuscated it gets theres always someone that can crack it.

Of, course that's just my opinion.

My opinion too and of many others more knowledgeable than us ;)

**acoder** · Feb 18 '08, 08:32 AM

Originally posted by peterlord

I haven't needed nor used an obfuscator before. My client's requirement is for my javascript to be 100% safe.

When you say 100% safe, do you mean that it's safe from prying eyes? Why does it need to be hidden? See some of the comments earlier (if you haven't already).

**hsriat** · Feb 22 '08, 07:50 AM

IE supports something called Jscript-encode. But its major drawback is that it won't run on any browser other than IE.

**gits** · Feb 22 '08, 04:21 PM

Originally posted by hsriat

IE supports something called Jscript-encode. But its major drawback is that it won't run on any browser other than IE.

not even that ... its reverse engineered too :) look here

kind regards

**hsriat** · Feb 22 '08, 04:29 PM

Originally posted by gits

not even that ... its reverse engineered too :) look here

kind regards

Yeah I read that! Poor IE guys! :D

**gits** · Mar 25 '10, 08:31 AM

as it was mentionied more then one time ... the browser has to interpret the javascript code and so in any way the code it to be transfered to the browser ... there is always a method to see the code ... as you might even see on the comments on your linked page. the only reliable way to hide those code from the client which really needs to be hidden is to avoid that code in javascript - and btw. how should your method hide something? the url is just a php script and in chromium i just need to click 'view page source' and then click the links to retrieve the code that is served from the php script:

here is the js:

Code:

$(document).ready(function () {  
	$(".imgnorm").mouseover(function(){
		var id = $(this).attr("id");
		$("#largeimg"+id).fadeIn('medium');
	
	$(".imgzoom").mouseout(function(){
		$("#largeimg"+id).fadeOut('medium');
	});
	})
});

and here the start of the css:

Code:

* {
margin: auto;
padding:0;
}
div.fluid {
width: 100% !important;
}
body {
	margin: 0px;
	padding: 0px;
	font-family: Gotham Black, Arial, Helvetica, Calibri, sans-serif;
	font-size: 14px;
	line-height: 140%;
	color:#333333;
	background: url('http://valajionetworks.com/images/bg.gif');
	background-repeat: repeat;
	background-attachment: fixed;
}
.page_body {
min-width:10px;
max-width:900px;
background:#ffffff;
border:5px solid #8DA6C5;
padding:10px;
}

i suppose if would use firebug or other common dev extenions i would just need to have a look at the script, css sections to see the used directives ... this is due to the technology ... the name clientside code is for a reason ... the code is to be executed at the client and therefor must be located there somehow ... no matter how tricky you serve it ... but it IS there and thus can be read, copied, pasted and so on ...

**mehxxran** · Apr 29 '10, 07:12 PM

Originally posted by SOLAV

This is the only working way to completely hide your JavaScript code from the client just like PHP or ASP code.

Here we'll need the help of PHP. Here is the code:
index.php
_______________ _______________ _______________ ___________

Code:

<?PHP
	@session_start(); //Start our session.
	if(@!session_is_registered('PrintTheJavaScript')){ //If the session is not registered (and it's not).
		@session_register('PrintTheJavaScript'); //Register the session.
	} // End if(@!session_is_registered('Pri...
	$_SESSION["PrintTheJavaScript"] = true; //Set the session value to TRUE.
?>

Code:

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1256" />
<title>Hide Javascript Code</title>
<!--Here we call our Javascript page the first time it'll provide us with our javascript code -->
<script language="javascript" src="./javascript.php"></script>
<!--
We call the same page again AND THIS IS SECOND PART OF THE TRICK.
because after we called it the first time it will set the session value to FALSE which mean it will print NOTHING
-->
<script language="javascript" src="./javascript.php"></script>
</head>
    Try to save this page or go straight from your browser to the (javascript.php) page<br>
    and see if you can get my javascript code.<br>
	YOU'LL NEVER CAN.
<body>
</body>
</html>

_______________ _______________ _______________ _______________ _

javascript.php
_______________ _______________ _______________ _______________ _

Code:

<?php
/*
	 ___________________________________________________________
	|																										|
	|	Script name: Hide Javascript Code.														|
	|	Script date: 16/12/2007																	|
	|	Script author: Mahr Bakr																		|
	|						admin@SOLAV.com														|
	|	Script goal: Hiding the javascript code from the client like PHP & ASP		|
	|	Script license: Free for personal and commercial.									|
	|	*******************************************************	|
	|	Keep this note or at least point to me as the author of the script			|
	|	*******************************************************	|
	/___________________________________________________________\
	
*/
	@session_start(); //Start our session.
	header("Cache-Control: no-store, no-cache"); //Tell the browser to not cache this page (don't store it in the internet temp folder).
	header("Content-type: text/javascript"); //Let the browser think that this is a Javascript page.
	//If the session value is TRUE that means the client has opened the main page (which creates our session and sets its value to TRUE).
	if ($_SESSION["PrintTheJavaScript"] == true){
		//Now we can print our javascript code using PHP's echo command.
		echo '
		// Here is our hidden javascript source.
		var Something="This is a real hidden Javascript code";
		alert(Something);
		// End of our hidden javascript source.
		';
	}else{
		//If the client tried to open the page straight from the browser (he is trying to see our hidden code).
		// Print some fake code or don't print anything.
	}
	//Set the session value to false AND THIS IS FIRST PART OF THE TRICK.
	//because we are going to call this page again and it'll print nothing (because $_SESSION["PrintTheJavaScript"] <> TRUE)
	//so even if the client tried to SAVE the page this page will be saved empty.
	$_SESSION["PrintTheJavaScript"] = false;
?>

See if you can get my JavaScript code. You'll never be able to. I hope this will help all of you.

that was a clever one , but when u put function instead of var inside it , it wont work, why?

**mehxxran** · Apr 29 '10, 07:17 PM

Originally posted by Kelicula

There are also methods for hiding the purpose of the code, from the client through obfuscation.

Example:
[code=javascript]
var e;function q(){
for(w=0;w<e.len gth;w++){
var yhtegfr = e.substr(0, 3);
var uhytf= e.substr(yhtegf r, -1);
if(x<23){
setTimeout(wind ow.status=uhytf ,2000);
x--;
}else{tegf();x--}
}}
e="abcdefghijkl mnop";//qrstuvwxyz";
function tegf(){
document.write( "hello\n");
}
var x=100;q();
// Crazy head ache of a script...

[/code]

All it does is write hello to the screen 16 times..

where to put the hidden code?

**acoder** · Apr 30 '10, 03:39 PM

Originally posted by mehxxran

where to put the hidden code?

That is the code. There's no need to hide it. It's obfuscated, so the purpose of the code and how it produces what it does is "hidden". Of course, it's not really hidden, but it makes it a lot more difficult for someone to try to work out which parts to copy. You shouldn't be using it to hide sensitive information.

**mehxxran** · Apr 30 '10, 04:43 PM

as far as i understood till now , the one who want to steal the obfuscated code , just simply copy and paste it on his site, no matter how difficult is to see the code, and also after that you were talking about making it safe by server , can u explain about that method too?

**acoder** · May 2 '10, 04:11 PM

Basically, put information you wish to hide on the server. Don't publish it on the client no matter what type of obfuscation you may use.

**acoder7777** · Mar 26 '18, 01:24 PM

hii!!, by using this code above im having an error.

Code:

<!DOCTYPE html>

<html>
<head>

<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<script type="text/javascript" src="https://cdn.emailjs.com/dist/email.min.js"></script>


    <?PHP
        @session_start(); //Start our session.
        if(@!session_is_registered('PrintTheJavaScript')){ //If the session&nbsp;is not registered (and it's ;not).
            @session_register('PrintTheJavaScript'); //Register ;the session.
        } // End if(@!session_is_registered('Pri...
        $_SESSION["PrintTheJavaScript"] = true; //Set the session&nbsp;value to TRUE.
    ?>


	<link rel="icon" type="icon" href="assets/pics/favicon.ico">
	<link rel="stylesheet" href="https://www.w3schools.com/w3css/4/w3.css" />
	<link rel="stylesheet" type="text/css" href="assets/css/style.css" />
	<meta name="viewport" content="width=device-width, initial-scale=1" />
	<meta charset="utf-8" />
<script type="text/javascript" src="javascript.php"></script>
<script type="text/javascript" src="javascript.php"></script>
<?php
    echo "<script>alert('good')</script>";
  echo "<script src='js/formfilled.js'></script>"; 
    ?>
	<title>yirus world</title>
	<style type="text/css">
		.content {
  padding: 16px;
}

.sticky {
  position: fixed;
  top: 0;
  width: 100%;
  left: 0%;

}

.sticky + .content {
  padding-top: 102px;
}
	</style>
</head>
<body class="w3-mobile">

	
    <div id="container">
	<div class="w3-wrapper w3-container" id="myHeader">
		
			<div class="w3-black sticky " id="myHeader" style="margin: auto;">
				<center>
					<a href="#" class="w3-bar-item w3-button  w3-center">Home</a>
					<a href="#" class="w3-bar-item w3-button  w3-center">Posts</a>
					<a href="#" class="w3-bar-item w3-button  w3-center">Practice place</a>
					<a href="#" class="w3-bar-item w3-button  w3-center">My Projects</a>
					<a href="assets\others\about.html" class="w3-bar-item w3-button  w3-center">about me</a>
					<a href="#" class="w3-bar-item w3-button  w3-center">Contact me</a>
					
				</center>
			</div>
			<div class="w3-div" style="width:100%; height: 480px; border: 4px solid black;" >
				<a href="index.html">	<h1 class="hide-text">Yirus world</h1>
		<h1 class="hide-text" >virus world</h1>
		<h1 class="hide-text">virus</h1>
		<h1 class="hide-text">khushit shah</h1>
		<h1 class="hide-text">VIRUS</h1>
		<h1 class="hide-text">virus protection</h1>
		<h1 class="hide-text">hacking</h1>
		<h1 class="hide-text">hacking protection </h1>
		<h1 class="hide-text">hacker world</h1>
		<h1 class="hide-text">hacked.com</h1>
		<h1 class="hide-text">Yirus world.com</h1>
		<h1 class="hide-text">virus world.com</h1>
		<h1 class="hide-text">*.com & * *.*.in</h1></a>
				<img src="assets/pics/1.jpg" class="w3-image" style="width: 100%; height:473px; padding-bottom: 0px;">
			</div>

			<div class=" w3-grey content">
				
				<div class="recent-posts" ondblclick="redirect('assets\\posts\\yirus-for-restarting.html');">
					<h2 class="posts-headings">Virus for restarting pc forever</h2>
					<div class="disclaimer">
						<h3>
							DISCLAIMER:-
						</h3 >
						<p class="disclaimer-content">
						Content posted in this website is for education purpose only.
					    Misuse of the content is not our resposiblity at all.
						</p>

					</div>
						<p>
						If you are new over here then please first have a read at.		
						<a href="posts\making-a-virus.html">
						Making a virus:-				
						</a>
						</p>
						<div class="index-posts" ondblclick="redirect('assets\\posts\\yirus-for-restarting.html');">
								<p>This virus is to restart a pc forever as the pc turn on it will restart the pc.
								</p>
								<p>
									To build it first of all open Notepad and write following code in it>
										<br><code class="code">@echo off
													<br> shutdown -r -t "30" -c "Your pc has been hacked"
										</code>
										<p>
										<a href="posts\yirus-for-restarting.html" class="read-more">(read more)</a>
										<p>
								</p>
						</div>
			    </div>
						
					

			</div>
			<div class="w3-footer w3-container w3-black">
					<center><p>
						Content in this website is for educational purpose only misuse of content is not over responsiblity
					</p>
					copyrighted &copy;  Yirus world	 
				</center>
			</div>
	</div>
	<div class="w3-container w3-grey content">
<form id="myform" method="post">
<label>name</label>
<input type="text" name="name" />
<label>email</label>
<input type="text" name="email" />
<label>from_name</label>
<input type="text" name="from_name" />
<label>message</label>
<input type="text" name="message" />
<br><br>
<button ></button>
Send
</button>
</form>
</div>
</div>

<script>
    
var myform = $("form#myform");
myform.submit(function(event){
	event.preventDefault();

  // Change to your service ID, or keep using the default service
  var service_id = "default_service";
  var template_id = "template_Tw7cPE5l";

  myform.find("button").text("Sending...");
  emailjs.sendForm(service_id,template_id,"myform")
  	.then(function(){ 
    	alert("Sent!");
       myform.find("button").text("Send");
    }, function(err) {
       alert("Send email failed!\r\n Response:\n " + JSON.stringify(err));
       myform.find("button").text("Send");
    });
  return false;
});
</script>
<script>
$(function(){
$('body > div:last-child:not(#container)').remove();

});
</script>
</body>
</html>

ERROR is--

Fatal error: Uncaught Error: Call to undefined function session_is_regi stered() in /storage/ssd1/533/5142533/public_html/index.php:10 Stack trace: #0 {main} thrown in /storage/ssd1/533/5142533/public_html/index.php on line 10

I have no expirence in php i just used this to hide my sensitive javascript can anyone make me understansd what is wrong

JAVASCRIPT.PHP

Code:

<?php
/*
     ___________________________________________________________
    |                                                                                                        |
    |    Script name: Hide Javascript Code.                                                        |
    |    Script date: 16/12/2007                                                                    |
    |    Script author: Mahr Bakr                                                                        |
    |                        admin@SOLAV.com                                                        |
    |    Script goal: Hiding the javascript code from the client like PHP & ASP        |
    |    Script license: Free for personal and commercial.                                    |
    |    *******************************************************    |
    |    Keep this note or at least point to me as the author of the script            |
    |    *******************************************************    |
    /___________________________________________________________\
 
*/
    @session_start(); //Start our session.
    header("Cache-Control: no-store, no-cache"); //Tell the browser to not cache this page (don't store it in the internet temp folder).
    header("Content-type: text/javascript"); //Let the browser think that this is a Javascript page.
    //If the session value is TRUE that means the client has opened the main page (which creates our session and sets its value to TRUE).
    if ($_SESSION['PrintTheJavaScript'] == true){
        //Now we can print our javascript code using PHP's echo command.
        echo '
         <script>alert("good php hide javascript code is working");</script>
        ';
    }else{
        echo '<script>alert("oops!");</script>';
    }
    //Set the session value to false AND THIS IS FIRST PART OF THE TRICK.
    //because we are going to call this page again and it'll print nothing (because $_SESSION["PrintTheJavaScript"] <> TRUE)
    //so even if the client tried to SAVE the page this page will be saved empty.
    $_SESSION["PrintTheJavaScript"] = false;
?>

ERROR IN THIS is
it print the following....
<script>alert(" oops!");</script>

**gits** · Mar 27 '18, 03:21 PM

don't bother with that - did you read the entire thread? it doesn't hide it - you only cant see it directly in the page-source. There is no reliable way to hide javascript code from the client - since it has to be delivered to the client, interpreted and executed - else the javascript code wouldn't even have a purpose. the point is to only have that in the javascript code what is not sensitive - its useless to even try such - its just useless overhead with no success in providing any kind of security of something in that code.

Hide JavaScript code from the client

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment