WebApp Sec mailing list archives

RE: Web Forms filtered with SQL constraints

From: focus () karsites net
Date: Fri, 8 Oct 2004 10:31:57 +0000 (GMT)


To protect your code, you could try using a JavaScript
Obfuscator. This will make your JS very hard to understand.
Or write some sed, perl and bash scripts to obfuscate your
own JS code.

(This is not to enable client-side security checking, just
to protect your code from other peoples prying eyes!)

I have written a set of beta scripts to obfuscate my php
code.

Each variable name begins with "$v_" in the source code.

The scripts use sed to replace the variable name
"$v_my_var_names, with "$vn.

So $v_this_var becomes $v1;
$v_that_var becomes $v2. etc, etc.

Same applies to php functions. The function names are
replaced with fn for the name, where n is the sequence
number as the conversion takes place.

Also, all line endings are removed, making the source code
effectively one long line. Plus other mods such as stripping
out all comments.

Anyone trying to alter the source code will have a pretty
tough time trying to debug it, as the php interpreter
flags all error messages as being on line 1 :-).


**BEFORE OBFUSCATING**

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd";>

<!-- ======================================================================= -->
<!-- Copyright (c) 2000-2004 Keith Anthony Roberts U.K. ALL RIGHTS RESERVED. -->
<!-- ======================================================================= -->

<!-- php4 include file containing user buttons for muxreg homepage -->

<!-- last updated 15-JAN-2004 -->

<!-- use list.com to print this out - or required sections thereof -->

<!-- ========================================================== -->

<HTML> <HEAD>

<META name="description" content="Free online mutual exchange register for Kings Lynn
 area and surrounding villages. For use by council or housing association
 tenants only">

<META name="keywords" content="'Kings Lynn', mutual, exchange, register">

<META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

<TITLE> </TITLE> </HEAD>

<!-- ========================================================== -->

<BODY>

<?php // into php4 mode

/*-----------------------------------------------------*/
/*  Anyuser return to muxreg website home page button  */
/*-----------------------------------------------------*/

function anyuser_HOMEPAGE_button($v_text)
{
 // declare the following variables as global to access them
 global $v_host_name;
 global $v_debug_value;
 global $v_table_output;
 global $v_advcd_search;

 ?> <!-- back into HTML mode -->

 <FORM ACTION="./muxreg.hml" METHOD="POST">

 <P ALIGN=CENTER>
 <INPUT TYPE="SUBMIT" VALUE="<?php echo $v_text; ?>"> </P>

 <!-- ========================================================== -->

 <!-- pass the following hidden variables with the form -->

 <INPUT TYPE="HIDDEN" NAME="v_host_name"
        VALUE="<?php echo $v_host_name; ?>">

 <INPUT TYPE="HIDDEN" NAME="v_debug_value"
        VALUE="<?php echo $v_debug_value; ?>">

 <INPUT TYPE="HIDDEN" NAME="v_table_output"
        VALUE="<?php echo $v_table_output; ?>">

 <INPUT TYPE="HIDDEN" NAME="v_advcd_search"
        VALUE="<?php echo $v_advcd_search; ?>">

 <!-- ========================================================== -->

 </FORM>

 <?php // back into php mode

} // end of function anyuser_HOMEPAGE_button($v_text)
/*-------------------------------------------------------------*/

/*-----------------------------------------*/
/*  About this site and User Guide button  */
/*-----------------------------------------*/

function ABOUT_SITE_button($v_text)
{
 // declare the following variables as global to access them
 global $v_debug_value;
 global $v_table_output;
 global $v_advcd_search;

 ?> <!-- back into HTML mode -->

 <FORM ACTION="./about.hml" METHOD="POST">

 <P ALIGN=CENTER>
 <INPUT TYPE="SUBMIT" VALUE="<?php echo $v_text; ?>"> </P>

 <!-- ========================================================== -->

 <!-- pass the following hidden variables with the form -->

 <INPUT TYPE="HIDDEN" NAME="v_debug_value"
        VALUE="<?php echo $v_debug_value; ?>">

 <INPUT TYPE="HIDDEN" NAME="v_table_output"
        VALUE="<?php echo $v_table_output; ?>">

 <INPUT TYPE="HIDDEN" NAME="v_advcd_search"
        VALUE="<?php echo $v_advcd_search; ?>">

 <!-- ========================================================== -->

 </FORM>

 <?php // back into php mode

} // end of function ABOUT_SITE_button($v_text)
/*-------------------------------------------------------------*/

The above code AFTER OBFUSCATING

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01
Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd";>
<HTML> <HEAD> <META name="description" content="Free online
mutual exchange register for Kings Lynn area and surrounding
villages. For use by council or housing association tenants
only"> <META name="keywords" content="'Kings Lynn', mutual,
exchange, register"> <META http-equiv="Content-Type"
content="text/html; charset=ISO-8859-1"> <TITLE> </TITLE>
</HEAD> <BODY> <?php function f107($v159) { global $v97;
global $v32; global $v153; global $v4; ?> <FORM
ACTION="./muxreg.hml" METHOD="POST"> <P ALIGN=CENTER> <INPUT
TYPE="SUBMIT" VALUE="<?php echo $v159; ?>"> </P> <INPUT
TYPE="HIDDEN" NAME="v97" VALUE="<?php echo $v97; ?>"> <INPUT
TYPE="HIDDEN" NAME="v32" VALUE="<?php echo $v32; ?>"> <INPUT
TYPE="HIDDEN" NAME="v153" VALUE="<?php echo $v153; ?>">
<INPUT TYPE="HIDDEN" NAME="v4" VALUE="<?php echo $v4; ?>">
</FORM> <?php } function f1($v159) { global $v32; global
$v153; global $v4; ?> <FORM ACTION="./about.hml"
METHOD="POST"> <P ALIGN=CENTER> <INPUT TYPE="SUBMIT"
VALUE="<?php echo $v159; ?>"> </P> <INPUT TYPE="HIDDEN"
NAME="v32" VALUE="<?php echo $v32; ?>"> <INPUT TYPE="HIDDEN"
NAME="v153" VALUE="<?php echo $v153; ?>"> <INPUT
TYPE="HIDDEN" NAME="v4" VALUE="<?php echo $v4; ?>"> </FORM>
<?php }

Theses scripts are still in beta, and a bit buggy, but if
anyone wants a copy for downloading and experimenting with,
they are at:

http://www.karsites.net/KAR/websites/pub/computing/obfs/

The main bash script lives at:

http://www.karsites.net/KAR/websites/pub/computing/obfs/grep/encrypt-muxreg-website

Maybe we can write a GPL'd set of encryption scripts, based
on what I have allready started, if anyone wants to continue
this as a project with me.

Any questions, please email me.

Regards - Keith Roberts

On Wed, 6 Oct 2004, V. Poddubnyy wrote:

To: 'Bénoni MARTIN' <Benoni.MARTIN () libertis ga>, webappsec () securityfocus com
From: V. Poddubnyy <vpoddubniy () mail ru>
Subject: RE: Web Forms filtered with SQL constraints

Hello!

But I have 2 questions:
    - How can I hide my Jscript filtering from the user ?
When I want to see the source, everything is diaplayed, quite
normal :( ...

Current thread:

Web Forms filtered with SQL constraints Bénoni MARTIN (Oct 05)
- Re: Web Forms filtered with SQL constraints Ian (Oct 07)
  - Re: Web Forms filtered with SQL constraints RSnake (Oct 07)
  - Re: Web Forms filtered with SQL constraints Saphyr (Oct 09)
- Re: Web Forms filtered with SQL constraints tie (Oct 07)
- Re: Web Forms filtered with SQL constraints Steven Boone (Oct 07)
- RE: Web Forms filtered with SQL constraints V. Poddubnyy (Oct 08)
  - RE: Web Forms filtered with SQL constraints focus (Oct 09)
- Re: Web Forms filtered with SQL constraints Matt Fisher (Oct 09)
  - Re: Web Forms filtered with SQL constraints yahoouec (Oct 12)
- <Possible follow-ups>
- RE: Web Forms filtered with SQL constraints Mike Allison (Oct 05)
  - Netware ichain Taki Waki (Oct 06)
    - RE: Netware ichain Eyal Udassin (Oct 07)
- Re: Web Forms filtered with SQL constraints Tom Stowell (Oct 07)
- RE: Web Forms filtered with SQL constraints Bénoni MARTIN (Oct 09)
  - RE: Web Forms filtered with SQL constraints RSnake (Oct 12)
- RE: Web Forms filtered with SQL constraints Dr Death (Oct 12)
  - Re: Web Forms filtered with SQL constraints Emil Filipov (Oct 14)

(Thread continues...)