Hiding Scripts With PHP

[ThePsion5]

I was thinking about the problem of using client-side Javascript Encryption without the website use being able to see and potentially decode how it works, and I have an interesting idea on how to make it much more difficult (though not impossible, sadly) to find and view said code, and should deter all but the most dedicated of code-stealers, lol.Why not use a referrer+time based seed with any of the common PHP encryption functions to keep any unauthorized sources from viewing your javascript code? It could be implemented like so:Use this in the head section of your html/php pages to include any needed java script:

<?PHP$minute = floor(time()/3600);$seed = md5($_SERVER['PHP_SELF'] . $minute);print '<script type="text/javascript" src="js/protected.js?seed=' . $seed . '">';?>

Then, in the protected.js file, you would include a page with code like this code like this:

<?PHPfunction isValidReferrer($seed){  $ValidSeeds = array();    $Page = $_SERVER['HTTP_REFERER'];			//The refering page  $Minutes[] = floor(time()/3600);			//This minute  $Minutes[] = $Minutes[0]-1;				 //The previous minute  $ValidSeeds[] = md5($Page . $Minutes[0]);  $ValidSeeds[] = md5($Page . $Minutes[1]);  return in_array($seed, $ValidSeeds);}if(isValidReferrer($_GET['seed']){  //print the scripts}else{  //say something mean and threatening to them :D}?>

Granted, it'd be some extra overhead for a server with high-traffic, but if you really want to keep your javascript secure then it might be a good idea. You could further spice it up by adding your own seed, cookie information, and the like. Any input? It seems like an interesting idea if you don't mind the extra server overhead.

[aspnetguy]

Sounds interesting and like it would be difficult to crack.Just a couple questions.1. How do you include PHP code in a .js file?2. When you call isValidReferer you send 2 parameters but in the function definition it only takes 1 paramameter...is this a typo?

[ThePsion5]

1. You can use server settings to parse a file with any type of extension - adding .js to the list of extensions to look for PHP tags in is as simple as adding a few characters (for apache at least, I know you can do the same on other servers as well)2. Whoops. Corrected now.

[aspnetguy]

Sounds interesting do you have a working sample of it? I would be interested in trying to crack it.

[ThePsion5]

Sadly, the only server I have that runs PHP at the moment is my laptop. I think I can give you some extimates on the time it would take, however:Assuming the attacker knew nothing about the seed, it would be nigh-impossible to crack without brute-forcing every MD5 combination (16^36 attempts on average). If they faked the HTTP_REFERER then they would still need to figure out that it was being used with a seed. Assuming they did that and made the following assumptions and could run all their attacks within one minute:1. The seed is an integer less than 3600: (24*60)/2 = 720 average2. The seed is an integer less than 10 digits: ((10^10)-721)/2 = 4,999,999,639 average3. The seed is any string less than 10 digits: ((129^10)-721)/2 = 638,068,209,558,560,809,240 average (Muahahaha! )If they try to brute force the MD5 function, it would take (129^32) = Some large number I can't translate, lolIf they can't run all of their attacks in a minute, then divide those numbers by the percentage of the attack they can complete in one minute...so if the attacker could only run 10% of the attacks, multiply the average attempts by 10. Basically, it becomes less and less likely the longer they take.

[aspnetguy]

nevermind, I am not that motivated

[ThePsion5]

Hehe, I was barely motivated to come up with those statistics, lol...

[justsomeguy]

I would be interested if you can get this working online. I bet I could crack it and get the javascript code.

[benjy355]

Oh it's possible to crack absolutely everything. Some things would just take long enough to a point where no single person could solve it in the time they would be alive. (Or they would fry their brain )

[Little Goat]

yea. all you would need to do is type java script:document.write(getElementsByTagName('html').innerhtml) in the address bar and view generated source in Opera or FF.