A Cure for the Obscure: JavaScript De-obfuscation

As a security researcher at HUMAN, I analyze digital skimming and Magecart attacks against some of the largest websites across the globe. I have collected many de-obfuscation methods over the years, and I recently joined them together to create a new JavaScript de-obfuscation tool on GitHub called REstringer. It is also available as an online tool.

What is Obfuscation?

Obfuscation is the process in which code becomes less clear, to the point of being unreadable.

Obfuscation is often used by code authors to protect their intellectual property or prevent tampering. Cybercriminals also use obfuscation as a way to hinder investigations into their attacks.

Security researchers often come across obfuscated attacks, which they have to first de-obfuscate in order to investigate fully. There are many online de-obfuscation tools, but none of them is a comprehensive solution. This leaves a lot of work to do manually.

How Does REstringer Help?

REstringer automates the de-obfuscation process to minimize the need for manual intervention. This is achieved by analyzing the code’s syntax and detecting obfuscation structures within. Once detected, REstringer resolves the obfuscated code snippet and restores the string back to its original value.

The REstringer open source release consists of three separate tools, each building on the previous ones:

  1. flAST is a tool for analyzing and modifying code by its syntactic structure.

  2. Obfuscation Detector, true to its name, detects obfuscation in code by searching for known obfuscation structures.

  3. REstringer identifies and resolves generic and specific obfuscation structures back into their original string representations.

Who Can Use REstringer?

Anyone! But, it’s probably most useful to security professionals. This includes:

  • Security researchers investigating suspicious code
  • Incident responders investigating a digital skimming or other client-side attack
  • JavaScript developers looking into obfuscated third-party code
  • JavaScript and obfuscation enthusiasts who want to learn more about obfuscation and JavaScript

Knowledge-sharing is Power

Sharing knowledge and resources is one of the security community’s strengths and driving forces. Recognizing this, HUMAN has made REstringer publicly available as an open source and online tool. Since its release last week, the tool has been well received by security professionals and obfuscation enthusiasts alike!

We at HUMAN are always excited to share insights from the cutting edge of threat research. It’s what makes our network effect so powerful. Learn more about HUMAN Code Defender to see how you can stay protected from digital skimming, Magecart, supply chain attacks and other client-side threats.