Front-end code security and obfuscation

Others 2023-04-16 13:15:44 views: null

Author: JD Retail Zhou Mingliang

1. Analysis of friends’ web pages

1.1 Amazon

Amazon store address:
https://www.amazon.com/OtterBox-Commuter-Case-iPhone-Packaging

  • All interactive events are not sent when the page is initialized, and the specific click event js content is sent after waiting for the js request
  • Use self-execution to prevent code formatting. [Chrome's built-in code formatting tool cannot be invoked]
  • Adopt self-developed framework, non-traditional react/vue/angular. A large amount of data is transferred through data-xx tags, resulting in a more complex tag structure.

 

1.2 Taobao

It mainly cooperates with the interface for encryption, adopts multi-field interference, and template loading. Send a large amount of template data, and then fill it through the client.

 

The client code is the traditional normal encryption mode

 

1.3 Pinduoduo

  • The traditional common encryption method uses the React framework. [Obvious React syntax sugar]
  • Key business details require mandatory login operations, and accounts can be banned.

 

 

2. Attacker's perspective

  1. [Web Reverse]  A certain risk control JS algorithm analysis of conventional web page encryption mode
  2. Crack App  | Anti-debugging of an H5 App against Webview in anti-debugging APP
  3. Puppeteer  is integrated into the debugging process, and the debugging experience is refreshing! It can simulate the user's actual click process and perform process-based operations. This type of method is difficult to distinguish
  4. Node.js security best practices  Common types of attacks officially released by Node JS.
  • Reference: NodeJS official website instruction manual
  1. Can read all the data on the computer with a few lines of JS?  Side channel attack, obtain user password information through memory response speed
  2. The Qwik JS  framework  changes the splitting of JS code from common "compile time" (such as webpack chunking), "runtime" (such as dynamic import ) to "interaction time" . Injection loading will only be performed when the user operates.
  3. Practice : The SSR transformation of the Tmall car dealer detail page is practiced on the Tmall car dealer detail page. The transformation principle is essentially based on Qwik JS.
  4. Talk about CSRF of front-end security
  • Non-code leaks, common types of web attacks, based on code cracking
  • XSS attack: Cross-Site Scripting (Cross-Site Scripting), the goal of the attack is to steal cookies stored on the client or other sensitive information used by other websites to identify the identity of the client. Once the legitimate user's information is obtained, the attacker can even pretend to be the legitimate user to interact with the website.
  • CSRF (Cross-site request forgery) Cross-site request forgery: The attacker induces the victim to enter a third-party website, and in the third-party website, sends a cross-site request to the attacked website. Use the registration credentials that the victim has obtained on the attacked website to bypass the user verification in the background, and achieve the purpose of impersonating the user to perform an operation on the attacked website.
  • Network hijacking attacks are mainly through some proxy servers, or network requests with middleware such as wifi, to hijack, and criminals obtain user information in this way.
  • The console injects code, and criminals use various prompts to trick users into doing some operations on the console to obtain user information.
  • phishing attack,
  • Email phishing: sending mass emails to trick users into clicking malicious links or attachments to obtain valuable information
  • Phishing: Falsifying a website on a website, usually imitating a legitimate one. In order to deceive users to click on this website, some assistive technologies will be adopted, such as phishing emails, text messages, phone calls
  • anti-phishing
  • SPF record, SPF is a DNS record type proposed to prevent spam. It is a TXT type record, which is used to register all IP addresses owned by a domain name for outgoing mail.
  • SafeBrowsing API, Google's Internet-ready API, allows browsers to check the correctness of URLs before rendering them.
  • DDOS: Distributed Denial of Service (Distributed Denial of Service), simply speaking, sending a large number of requests is to paralyze the server
  • SQL injection attack, which is an attack generated by sending malicious SQL statements to the database connected to the web, thereby causing security risks and threats to the website, which can cause hazards such as evasion of verification or leakage of private information
  • Click hijacking, click hijacking means that a transparent iframe is hidden in a web page, and the outer fake page is used to induce users to click. In fact, a click event is triggered on the hidden frame to perform some operations that the user does not know.
  1. AI intervenes to interpret the code and speed up the code decompilation process
  • For example, put the friend code into chatgpt for interpretation

 

 

This is just a part of the code. If you analyze the complete code piece by piece, you can get the complete context without relying on people to read the code piece by piece.

There are also ai code debugging such as:
https://github.com/shobrook/adrenaline

 

3. Defender's Angle

  1. JS code obfuscation
  • Response: Ordinary developers or ordinary users who do not understand programming. Example: most web pages
  • Code obfuscation/encryption to reduce semantic understanding.
  • Through code debugging, find a specific DOM node, and repeatedly breakpoint debugging, you can understand the relevant execution logic
  1. JS virtual machine
  • Response: professional programming developers. Example: None
  • Convert the code to binary code through AST, and then run the binary code through the virtual machine.
  • It will lead to poor execution performance of the webpage and load more JS files
  • Breakpoint prompts cannot be performed, but the decryption process will be exposed to the outside world.
  • Directly call the JS virtual machine and execute the minimum JS fragment, so as to understand the encryption rules of the entire virtual machine.
  1. Forcibly download the APP and open it through Webview
  • Response: Intermediate and senior programming developers. Examples: Pinduoduo, etc.
  • The H5 code only displays the data externally, and the key content prompts the user to download the APP, which increases the difficulty of debugging
  • Users are unwilling to download the APP, which will lead to the loss of users.
  1. Interface validation/field confusion
  • Response: Python reptiles, such as: Taobao, Haocihaoyu.com, etc.
  • Generate obfuscated templates through the interface, send multiple fields randomly, and configure the relevant JS template framework.
  • The interface content is transmitted with base64 / aes encryption and decryption processing, but the decrypted JS will be left on the client side, which can still be cracked.
  • Token mandatory verification, sending three errors, directly does not return data, requires users to log in forcefully, which may easily lead to user loss.
  1. custom frame
  • Response: Python reptiles, intermediate and advanced programming developers. Example: Amazon/Taobao. 【Need to continue digging】
  • The crawler cannot obtain the API request interface of the relevant button at the first time, and needs to wait for the JS to return.
  • There is a lot of irrelevant data on the client side, which makes the dom nodes look irregular as a whole
  • JS returns through the interface request, and with the relevant Token parameters, it can be delivered randomly

4. Conclusion

4.1 What most attackers have in common

1) Unwilling to log in, or steal normal user information and use it for attacks

  • For example, some plug-in programs are provided to external users free of charge. Users are greedy for small profits, thinking that they can speed up the profit grabbing through external programs
  • In fact, the user name is recorded and given to the attacker.

2) If it is a company action, it is likely that the IP will be recorded, and there will be legal risks.

  • Can analyze computer name, IP address
  • May perform IP server proxy, use virtual IP, virtual location
  • Use cloud servers, such as: Alibaba Cloud/JD Cloud, to attack the corresponding website, JD Cloud to JD website.

3) Make multiple attempts to modify the token and pretend to send the request

  • Fake UA
  • Enable debug mode

4) Analyze DOM structural features/use Console to print global storage variables

5) Analyze specific keywords through cookies, global search

6) When making a network request, check the function execution stack and find the core request function step by step.

4.2 Dealing with Common Developer Plug-ins

  • Mainly using puppeteer can completely simulate the user operation process, you can wait for a node to appear, and then operate, no longer need the traditional code debugging operation. Directly manipulate DOM node click response
  • Based on such requirements, it is necessary to change the position of DOM nodes frequently. Increase the cost of the business side, and need to release the version every time. If the node features are randomly generated, it is necessary to develop a self-developed framework, and the cost is high

4.3 Dealing with Python reptiles

1) The front-end code adopts the traditional encryption method

  • https://github.com/mishoo/UglifyJS
  • https://github.com/terser/terser
  • https://github.com/javascript-obfuscator/javascript-obfuscator
  • More inclined to interface encryption, reinforcement plus Token

2) The business with the entrance in the APP

  • Debugging itself requires an additional link to the machine, which increases the complexity of debugging.
  • Cooperate with APP self-monitoring, specific API can be made more secure
  • Only this kind of business can use the JS virtual machine method

3) Confuse keywords to reduce feature searches

  • The following ways can be used, which are just examples, and there can be more ways. Such as array composition, object composition, etc.
  • const GLOBAL_SOCKET_NAME = 'c6on6ne6ct'.concat('S6o').concat('c6ke6t').replace(/6/g, '')
  • In conventional code obfuscation, the complete string will not be processed, resulting in the direct exposure of keywords.

 

Any client-side encryption confusion will be cracked, as long as we can solve it with our heart, what we can do is to delay the cracking time, instead of doing nothing, it will only be cracked faster!

In fact, many of our company's external pages have many exposure risks, including non-standard log output and direct external exposure of encrypted anti-swipe tokens. for example:

 

Everyone can check for themselves~

{{o.name}}
{{m.name}}

Guess you like

Origin my.oschina.net/u/4090830/blog/8652546
Recommended
Ranking
Filecoin-the core mission of storing the most important information of mankind
Release of rush monitoring software version
Why does parseInt warn of using valueOf
Arduino与Proteus仿真实例-MAX6955驱动8位16段LED仿真
How can I define index on inherited fields in MongoDB with Spring Data?
Gradio: a new frontier for interactive Python data applications
JavaScript implements checkbox selection
JAVA study notes—IO flow
Test set: 23 groups of basic test function introduction and images (provide python code)
Ubuntu22.04 of golang builds beego development environment
Daily
More
2024-07-28(0)
2024-07-27(0)
2024-07-26(0)
2024-07-25(0)
2024-07-24(0)
2024-07-23(0)
2024-07-22(0)
2024-07-21(0)
2024-07-20(0)
2024-07-19(0)

Code World

© 2018 codetd.com