Login Papers Register

Need an account to vote? Register to attend at gsec.hitb.org/sg2018/
Deadline is 30th June 2018!

<< previous next >>

A Methodology for Assessing JavaScript Software Protections

Pedro Fortuna

0 vote(s)

JavaScript is a highly dynamic language. At runtime, functions, and event handlers can be redefined. New code can be parsed and executed. While these properties offer a lot of flexibility, they are a nightmare when it comes to security. First, they are powerful weapons for an adversary. But they also make building tamper-resistant and obfuscation techniques a lot harder. As a result, determining if a given protection is strong or weak is a daunting task for an application developer or security practitioner.

In this talk, we explore the peculiarities of protecting JavaScript and how it differs from protecting native code. We then dive into a couple of protected JavaScript examples and demonstrate different attacking techniques e.g. partial evaluation - and investigate their potential for reverse engineering and tampering. We’ll go through different tamper-resistant and obfuscation techniques and test their resilience against modern reverse engineering techniques.

We’ll propose a methodology to help security practitioners evaluateJavaScript code protection. The need to assess software protections has been recently recognized by the OWASP Mobile Security Testing Guide. We provide pointers on what to look on JavaScript code protection, what real value you can get from it, when it makes sense to use and when it doesn’t.

Expect a highly technical talk, with several demos, including live reverse engineering of protected JavaScript. In the end, you will have learned how to assess the value of available JavaScript code protection techniques.


Pedro Fortuna is CTO and Co-Founder of Jscrambler where he leads the technical vision for the product suite and contributes with his cybersecurity knowledge for R&D. Pedro holds a degree in Computing Engineering and a MSc in Computer Networks and Services, having more than a decade of experience researching and working in the application security area. He is a regular speaker at OWASP AppSec events and other cybersecurity conferences but also contributes on web development events. His research interests lie in the fields of Application Security, Reverse Engineering and Malware and Software Engineering. Author of several patents in application security.

Some conferences as Speaker:

- OWASP AppSec EU 2018
- BSides San Francisco 2018
- BSides Austin 2018
- SecAppDev Course Leuven 2018
- OWASP AppSec USA 2017
- BSides Lisbon 2017
- OWASP AppSec California 2017