[ale] source code

Mike Harrison cluon at geeklabs.com
Sun Nov 14 19:05:31 EST 2010


On Sun, 14 Nov 2010, Terry Bailey wrote:

> If you are writing dynamic web pages using cgi and Perl, is there any
> way to set a flag so that the generated source code is not viewable?

If you mean so the generated HTML is not easily readable,
there are all kinds of schemes where encoded junk is delivered to a 
browser and then a piece of JavaScript decodes it in the browser..
and you can usually use a web developer tool to see the plain text
HTML afterwards if plain "view source" doesn't work.

A lot of JavaScript is often "encoded" in one scheme or another,
and that is often a sign of hidden payloads or really bad things done in 
code you don't want to see.

As for code on the server: You used to be able to "compile" perl,
but last time I tried it (a couple of years ago) that has been 
depreciated. Besides, it did not work well in some cases.

I'm not sure what is currently available for Perl, but I am currently
using IonCube to encode/obfuscate some PHP. In my case it works better 
than Zend's solution because it allows installing on a newer PHP version 
then Zend's if you don't use the newer commands. It required a module 
loaded on the server to decode it on the fly. Reportedly it's fairly
easy to "decode", but it allows me to deploy some code in a semi-hostile
environment where it keeps the young-turks from messing with it easily.
It's like keeping your door locked. Easy to bypass, but you can yell to 
the authorities they broke in.

there are also bad things like:

http://liraz.org/obfus.html

and discussions like:

http://www.perlmonks.org/?node_id=832511







More information about the Ale mailing list