A Cure for the Obscure: JavaScript Deobfuscation

As a security researcher at PerimeterX and HUMAN, I analyze digital skimming and Magecart attacks against some of the largest websites across the globe. I have collected many deobfuscation methods over the years, and I recently joined them together to create a new JavaScript deobfuscation tool on GitHub called REstringer. It is also available as an online tool.

What is Obfuscation?

Obfuscation is the process in which code becomes less clear, to the point of being unreadable.

Obfuscation is often used by code authors to protect their intellectual property or prevent tampering. Cybercriminals also use obfuscation as a way to hinder investigations into their attacks.

Security researchers often come across obfuscated attacks, which they have to first deobfuscate in order to investigate fully. There are many online deobfuscation tools, but none of them is a comprehensive solution. This leaves a lot of work to do manually.

How Does REstringer Help?

REstringer automates the deobfuscation process to minimize the need for manual intervention. This is achieved by analyzing the code’s syntax and detecting obfuscation structures within. Once detected, REstringer resolves the obfuscated code snippet and restores the string back to its original value.

The REstringer open source release consists of three separate tools, each building on the previous ones:

1. flAST is a tool for analyzing and modifying code by its syntactic structure.
2. Obfuscation Detector, true to its name, detects obfuscation in code by searching for known obfuscation structures.
3. REstringer identifies and resolves generic and specific obfuscation structures back into their original string representations.

Who Can Use REstringer?

Anyone! But, it’s probably most useful to security professionals. This includes:

• Security researchers investigating suspicious code
• Incident responders investigating a digital skimming or other client-side attack
• JavaScript developers looking into obfuscated third-party code
• JavaScript and obfuscation enthusiasts who want to learn more (Read more...)