No Beans About It: Why You Need JavaScript Obfuscation

Categories
Risk Management

Published on September 3, 2019 by Gabriel Torok

Reading Time: 4 minutes

JavaScript is everywhere. It’s currently the world’s most popular programming language; as noted by GitHub, JavaScript has the highest number of contributors and repositories, handily outpacing other alternatives such as Python, PHP and Ruby.

The problem with all this popularity? Massive amounts of great open-source code create opportunities for both in-house development teams and malicious actors. The sheer volume of JavaScript-based services means it’s not enough just design apps with security in mind — businesses must actively mitigate emerging threats by obfuscating critical code to frustrate hacker efforts.

Not sure where to start? Here’s what you need to know about the brewing storm of JavaScript attacks and the simplest ways to reduce your total risk.

Why JavaScript?

JavaScript is easy to learn and easy to use. Beginners can quickly get to work on simple projects and code to create front-end web services, while more experienced developers are now using JavaScript for back-end development and digital transformation projects.

Frameworks such as Angular.js, React.js and jQuery empower both development agility and speed, allowing organizations to quickly solve many problems. These tools make it easy to develop user interfaces, website backends, on-demand microservices, and IoT device features.

Combine these frameworks with a rapidly growing and dedicated JavaScript community and it’s no surprise that this programming language now dominates the market and continues to evolve.

Why Obfuscate?

As noted above, the near-universal presence of JavaScript code and the ease of development also increases the overall risk of security vulnerabilities. Given the broad array of apps and services powered by JavaScript, even a minor breach could expose your businesses to IP theft, loss of revenue or reputation damage.

Consider just a few recent examples:

  • MyDashWallet — As noted by Silicon Angle, cryptocurrency service MyDashWallet was compromised over a period of two months thanks to vulnerabilities in an external JavaScript library.
  • British Airways — In 2018, British Airways suffered a massive breach that exposed the personal details of more than 380,000 customers. The source? 22 lines of JavaScript.
  • Magecart — The BA attack code was likely written by the cybercriminal group Magecart, which is responsible for a host of credit card skimming and eCommerce attacks in recent years. According to Packt, the most common Magecart attack vector uses JavaScript sniffing to identify vulnerable code and insert malicious commands.

In fact, the threat of JavaScript attacks is now worrisome enough that the PCI Security Standards Council (PCI SSC) and the Retail and Hospitality ISAC recently issued a joint statement about the risk of JavaScript-based skimming.

Choices, Choices…

So how do companies protect JavaScript code used across both local and cloud-based applications and services?

Generally, you can mitigate these risks in two ways: Obfuscation and Runtime Checks.

  1. Obfuscation: Transform your code to make it hard to steal or copy.A JavaScript Obfuscator will transform your entire source code to make it virtually impossible to read and understand. While the process may modify actual method instructions or metadata, it does not alter the functionality of the program.JavaScript Obfuscation can make it extremely difficult for hackers to reverse-engineer, analyze and exploit the application. Advanced obfuscation techniques include control flow alteration, literal transformation, property access transformation and local declaration mangling.
  2. Runtime Checks: Inject layered security checks in your code to make it hard to hack while it is running.Runtime checks & response can hinder debugging/inspection, stop tampered versions from running, help prevent malicious code insertion or bypassing controls and/or altering data in JavaScript applications. Failing a protection check can trigger specific responses such as session termination or critical incident reporting.

Similar but Different

Other technologies designed to alter JavaScript such as “minifying” or “ugilfying” code often promise some protection.

The caveat? Minifying or uglifying JavaScript is not the same as obfuscating JavaScript. Here’s why: Minification is a process that removes all unnecessary characters in source code including whitespace, comments, new line characters or anything else the program does not need to work. It might also rename variables and methods to one to two characters to save space. Uglifying is the reverse — adding nonsensical lines and commands that impact the form of your JavaScript but don’t interfere with key functions.

However, hackers have already found ways around these techniques: Tools like prettifyjs and others can undo much of what a minifier or uglifier does.

The Real Costs of “Free” Software

The result? To effectively protect your JavaScript, you need reliable obfuscation and active security checks.

However, premium tools come with premium prices — and it’s now easy to find “free” solutions that promise complex obfuscation without the cost. The problem? If you choose a free obfuscator over a premium obfuscator backed by industry leaders, you may be increasing your risk.

In his article, Why A Free Obfuscator is Not Always Free, Peter Gramantik discusses an experience he had with a “free” JavaScript obfuscator. While it obfuscated the JavaScript, it also inserted malware into the code. This creates a dual problem: Companies using free tools often assume their code is better-protected while, in fact, malicious code inserted in the JavaScript by the free obfuscator is free to collect data or impact key processes.

Responsibly-Sourced Security

This widespread use of JavaScript provides many advantages, but the combination of easy integration with other services and increasing adoption may also open the door to increased risk. As a result, security is now paramount for any JavaScript-based applications — but solutions such as minification and uglification offer only minimal protection while “free” tools may come with hidden costs. Premium application obfuscation provides the shortest path between development and defense to help your JavaScript apps handle both current and emerging threats.

Do you have client-side JavaScript code worth protecting? Check out our latest offering for JavaScript obfuscation: PreEmptive Protection for JavaScript.