Digital Skimming and Magecart

A Cure for the Obscure: JavaScript Deobfuscation

by
A Cure for the Obscure: JavaScript Deobfuscation

As a security researcher at PerimeterX and HUMAN, I analyze digital skimming and Magecart attacks against some of the largest websites across the globe. I have collected many deobfuscation methods over the years, and I recently joined them together to create a new JavaScript deobfuscation tool on GitHub called REstringer. It is also available as an online tool.

What is Obfuscation?

Obfuscation is the process in which code becomes less clear, to the point of being unreadable.

Obfuscation is often used by code authors to protect their intellectual property or prevent tampering. Cybercriminals also use obfuscation as a way to hinder investigations into their attacks.

Security researchers often come across obfuscated attacks, which they have to first deobfuscate in order to investigate fully. There are many online deobfuscation tools, but none of them is a comprehensive solution. This leaves a lot of work to do manually.

How Does REstringer Help?

REstringer automates the deobfuscation process to minimize the need for manual intervention. This is achieved by analyzing the code’s syntax and detecting obfuscation structures within. Once detected, REstringer resolves the obfuscated code snippet and restores the string back to its original value.

The REstringer open source release consists of three separate tools, each building on the previous ones:

  1. flAST is a tool for analyzing and modifying code by its syntactic structure.
  2. Obfuscation Detector, true to its name, detects obfuscation in code by searching for known obfuscation structures.
  3. REstringer identifies and resolves generic and specific obfuscation structures back into their original string representations.

Who Can Use REstringer?

Anyone! But, it’s probably most useful to security professionals. This includes:

  • Security researchers investigating suspicious code
  • Incident responders investigating a digital skimming or other client-side attack
  • JavaScript developers looking into obfuscated third-party code
  • JavaScript and obfuscation enthusiasts who want to learn more about obfuscation and JavaScript

Knowledge-sharing is Power

Sharing knowledge and resources is one of the security community’s strengths and driving forces. Recognizing this, PerimeterX and HUMAN have made REstringer publicly available as an open source and online tool. Since its release last week, the tool has been well received by security professionals and obfuscation enthusiasts alike!

We at PerimeterX and HUMAN are always excited to share insights from the cutting edge of threat research. It’s what makes our network effect so powerful. Learn more about PerimeterX Code Defender to see how you can stay protected from digital skimming, Magecart, supply chain attacks and other client-side threats.

Want to nerd out with me? Check out my tech blog post to get all the technical details on my whys and hows in creating REstringer, the design decisions and the process through which I’m adding new capabilities to the tool.

Forrester Report

PerimeterX Named a Leader in the Forrester Wave™: Bot Management, Q2 2022

Download Report
© PerimeterX, Inc. All rights reserved.