Secure data in JavaScript

2019-07-02 19:23发布

问题:

I have to create generator for web tests (using HTML and JavaScript). Test has to work offline and online.

Correct answers and score evaluation must be a part of a generated test. The final user's score is then only sent to the server (evaluation cannot be done on the server and server knows nothing about questions - it only saves the final score).

Is there any way to have the correct answers as a part of the test and do not allow user easily find them using Firebug?

回答1:

theres no realy good solution to your problem. the only thing you can do is minifying or encrypting your javascript to make it hard to read and use weird variable-names.

you can't ever hide it completely because the browser itself has to interpret it and that way a human can always decrypt and manipulate it (using firebug like you said, for example).

the best way would be to rebuild the whole thing to not rely on secure data in client-side code - i know you said it's not possible, but i'm sure it is. maybe it's complicated, but the only really secure way.

EDIT:
i forgot you said it has to work offline - in that case i agree that client-side code is the way to go... as said, your only way is encryption/minification then and hoping no one is motivated enough to work through that ugly code.



回答2:

I think you can take a look at this JavaScript encryption utility

AMAIK, when you send any data to the client, the data is there and could be seen. If it's obfuscated, it can be easily tempered with. If it's encoded, it can be decoded. However, if it's encrypted, then for decryption process, you need the appropriate key. Now, if you've used symmetric encryption, then the key is on your server, which means that you still need the server to exist in your design, which is against your requirements:

Tests has to work offline

If you use asymmetric encryption then you send the public key alongside your sent message. This means that the key is there, at client-side, ready to be used for decrypting data.

Thus, as much as you only want to work on the client only, there seems to be no rigid way for that.



回答3:

Depends on your meaning of 'easily'. If I do 'View Source' and see 'answer1="monkey";answer2="dog"' then that's very easy, but beyond the knowledge of some people. If I do 'View Source' and see 'answer1="axdfgja"' then I'm going to spend a couple of seconds trying to decode it (rot13?) and then look for the javascript code that does it. Again, beyond the knowledge of some people.

Doubtless there are obfuscation techniques that are beyond my knowledge (he said modestly), but nothing can be done by the client that can't be done by the user. If you are working offline then this is obfuscation and not encryption. Similar systems written in C and assembly (and thus needing a bit more hard work to figure out) have been cracked.

So it all depends on how much effort and skill you think your users will put into breaking it.



回答4:

Javascript is executed on the client side. Completely.

Even if you employ code obfuscators, encryption utilities and the likes, at the end of that, there's eval() which can be substituted with document.write() and your precious secrets aren't that secret any more.

There are code minifiers like jscompress that shrink your code to make it smaller, but eventually, the uncompessed code is fed to eval(). At that point, someone really determined to read and understand your secret code could put a breakpoint there and retrieve the uncompressed code.