Source code obfuscation techniques

What is obfuscation?

Obfuscation in IT refers to all the methods aiming at altering the readability and the understanding of a part of a source code without changing its functioning.

Application protection through obfuscation...

Obfuscation can be used as a tool to protect an application in production in order to avoid its "reverse engineering", i.e. the possibility for an external user to understand the source code in order, for example, to exploit potential vulnerabilities.

For this purpose it is possible to replace variable names with characters such as the underscore "_" in order to give no information about their usefulness.

... but also a malicious tool used by hackers

However, these techniques can also be used for malicious purposes, concerning the security of web applications, obfuscation allows to bypass some restrictions, these can be security mechanisms directly in the source code or web application firewalls.

Obfuscation is therefore a double-edged tool, being as effective in protecting an application as in attacking some of them.



What is the difference between a normal attack and an obfuscated attack?

1. Normal attack

Standard Attack

In a normal attack, the attacker simply sends an attack targeting the company's server, such as a command injection, however the web application firewall will analyze the request and detect the attack.

Since the request is not healthy, the user cannot access the server and the attack attempt is recorded in a log.

2. Obfuscated attack

Obfuscation attack

In this second example, the attacker sends the same attack but obfuscated (thanks to the techniques we will see below) so that the algorithms cannot draw any reliable conclusion.

Here, the web application firewall, not being designed to detect obfuscations, will let the attack through and the server may be compromised because the web application firewall will not be able to distinguish a real request from a fake one.



What are the different types of obfuscations?

Multiple obfuscation techniques exist and differ from one language to another:

Code obfuscation, which language?

1. Double encoding

In a web request (HTTP request), each character corresponds to a hexadecimal number and can be represented in the following way %XX, XX being the number in hexadecimal for example %2F representing the " / ".

To avoid some filters it is possible to encode the sign "%", so the "/" which gives %2F in hexadecimal, can be encoded as %252F.

The double encoding can also be encoded, we talk about multi encoding, this is used to exploit Directory Traversal type flaws.

It is of course necessary that the backend is also able to handle multi-decoding in order for a vulnerability to be exploited.

2.  Base64 encoding

In a web request (HTTP request), each character corresponds to a hexadecimal number and can be represented in the following way %XX, XX being the number in hexadecimal for example %2F representing the " / ".

To avoid some filters it is possible to encode the sign "%", so the "/" which gives %2F in hexadecimal, can be encoded as %252F.

The double encoding can also be encoded, we talk about multi encoding, this is used to exploit Directory Traversal type flaws.

It is of course necessary that the backend is also able to handle multi-decoding in order for a vulnerability to be exploited.

3. Properties of a language

Other means of obfuscation exist, sometimes implemented directly in a language, an example can be Javascript with its atomic part.

This obfuscation technique is based on only a string of 6 characters: [, ], (, ), ! and +, and allows to transform Javascript code into a script incomprehensible for a human.

To obtain the simple letter "d", it is necessary to use "[[][]]+[])[!+[]+[]]", so a code to exploit an XSS can easily reach more than 20,000 characters



How does R&S®Cloud Protector protect against computer obfuscation?

In order to avoid being trapped, R&S®Cloud Protector uses normalization engines to identify obfuscation techniques before starting its analysis.

The engines used by R&S®Cloud Protector can be called recursively and thus counteract multiple encodings.

Thus, the obfuscated parts of a request are decoded, analyzed and sent to the different security engines depending on the attack pattern encountered.

Request your 14 days free trial

It takes only 60 seconds to protect your websites and applications.
What are you waiting for?