Copyright 2011 Elsevier Inc.. All rights reserved.
Copyright
Acquiring Editor: Rachel Roumeliotis
Development Editor: Matthew Cater
Project Manager: Danielle S. Miller
Designer: Alisa Andreola
Syngress is an imprint of Elsevier
30 Corporate Drive, Suite 400, Burlington, MA 01803, USA
2011 Elsevier Inc. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher's permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions.
This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).
Notices
Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods or professional practices, may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information or methods described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.
To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.
Library of Congress Cataloging-in-Publication Data
Heiderich, Mario.
Web application obfuscation / Mario Heiderich [et al.].
p. cm.
Includes bibliographical references.
ISBN 978-1-59749-604-9 (pbk.)
1. Internet programming. 2. Computer security. 3. Web site development. 4. Application softwareDevelopment. 5. Cryptography. I. Title.
QA76.625.H46 2010
005.8dc22201004209
British Library Cataloguing-in-Publication Data
A catalogue record for this book is available from the British Library.
ISBN: 978-1-59749-604-9
Printed in the United States of America
101112131410987654321
For information on all Syngress publications visit our website at www.syngress.com
Acknowledgments
Mario Heiderich
First I would like to thank my coauthors, for giving me the chance to participate in this awesome project, and especially Eduardo, who asked me some months ago if I was interested in this exciting venture. I had no time at allneither then nor the weeks and months that followedbut I could not say no!
Thanks to my friends, coworkers, and team partners in Cologne, Bochum, India, New York, and around the world, who constantly had to listen to my gibberish about this book, eccentric JavaScript vectors, markup obfuscation, and breaking filters. I hope it was not too tedious, and I'm sorry if I broke your filters and protection mechanisms all the time. I know well enough that developing Web sites is a terrible job. Special thanks go to Markus, Johannes, and Arno. Thanks also to Jacek for the same things mentioned earlier; it was always a pleasure working with you.
Same for Dr. Girlfriendyou had to bear with me drifting away to obfuscation land often enough. I hope I can stress your patience with that for some more years and God bless the dress! Thanks a lot for being there and for being awesome.
Thanks go also to the sla.ckers.org users who contributed knowledge and helped discover the fun in browser and Web security, stole my precious time with amazing contests, and helped me as well as the whole team to advance and gain more insight into the quirky browser world day by day. Edward, Dave, Adam, Arshan, and others, you have written and continue to write nice filters. I'm sorry for breaking them now and then. Many thanks go to Roberto Salgado for helping with the SQL chapter.
Last but not least, thanks to my family and, especially, to my baby brother, who understood nonalphanumeric JavaScript obfuscation in half an hour and even helped me shorten a vector for a challenge by one characterwithout even knowing JavaScript.
And nowmotor sports!
Eduardo Alberto Vela Nava (a.k.a. sirdarckcat)
First I would like to thank my wife, Zheng Yi, who followed me all the way from China to share her life with me on the other side of the world; my mother and mi abuelita for always supporting me to do what I like; and all my friends and family for being there when I needed them.
I would also like to thank my colleagues and friends at Google and Alibaba for allowing me to learn so much from them, as well as the place that made me love security, elhacker.net. Thank you all.
Gareth Heyes
First I would like to thank my wife, Samantha, for her patience while I wrote this book, and for always being there. You are truly my inspiration every day. I would also like to thank my beautiful little girl, Chloe, for making me watch Shrek a million times (I never got bored) and lighting up our world.
I would like to thank Eduardo, Mario, and David for allowing me to work with them on this book and for being generally awesome.
Finally, I would like to thank the slackers and security community for finding and posting brilliant research, Dave Ross for taking a chance on me and building great things, and Manuel Caballero for being the most innovative and brilliant colleague I've ever worked with.
David Lindsay
Thanks to Eduardo, Mario, and Gareth for being great to work with on this book, and for being awesome friends in general. Thanks to Romain Gaucher, Mike Cooper, Jayson Christianson, John Pursglove, and many other former and current colleagues for teaching me almost everything I know about security. Thanks to my parents, Jim and Kathryn, for teaching me how to think critically and embrace who I am. Finally, thanks to my family, Tina and Lydia, for their patience, understanding, and continuous support, and for making it all worth it.
Thanks to all the sla.ckers (wisec, billy rios, kuza55, lever one, reiners, yosuke hasegawa, giorgio maone, cabala, rsnake, dross, and everyone else we may have forgotten to mention) for sharing so much in a public forum for everyone to learn from.
About the Authors
Mario Heiderich is a Cologne, Germany-based freelancer and entrepreneur who is devoted to Web application development and security and is currently working on several projects while earning his Ph.D. at Ruhr University in Bochum. He graduated from the University of Applied Sciences in Friedberg/Hessen with a degree in media informatics, and has been working for several German and international companies as a developer and security consultant. In addition to being lead developer for the PHPIDS and author of a German book about Web application security, he has been a speaker at several conferences and a trainer for Web security classes around the world. His work is focused on client-side attacks and defense, especially markup, CSS, and JavaScript, on all major user agents.