Chapter 5. Obfuscation
Obfuscation is a common frontend optimization technique that provides both security and performance benefits at the browser when applied to inline or external code. From a security point of view, developers are able to conceal implementation logic in order to avoid allowing attackers to reverse engineer code. From a performance point of view, obfuscation can reduce the size of code (page weight), implying that the browser will load and execute this content faster. Code obfuscation is a basic example of how we, as developers, can implement solutions that provide benefits in both security and performance areas. While the technique of obfuscating code has been around for quite some time, other areas of sites such as resource URLs can utilize this to further enhance frontend security and performance.
Learn from Our Attackers
To explore other applications, let’s discuss how attackers deliver malicious payloads today. Origin infrastructures will often have a web application firewall implemented to block certain types of application layer attacks such as directory traversal attempts for sensitive files (Example 5-1). Attackers will then obfuscate their payloads in order to avoid detection from preset firewall rules, and in doing so, they are able to deliver malicious payloads to origin servers as intended (Example 5-2).
Example 5-1. Original URL
http://www.example.com/test?file=/../etc/passwd
Example 5-2. Obfuscated payload
Decimal Encoded: http://www.example.com/test?file=/et ...
Get Security and Frontend Performance now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.