Information about Building is scattered across the web, so I compiled this guide for reference.

Want to learn advanced techniques? Check out our premium courses.

正文

Building MirageVM: A JavaScript Virtual Machine for Code Obfuscation

Modern web applications face a persistent challenge: automated attacks that bypass traditional security measures. Captcha farms and AI-powered tools have made it increasingly difficult to distinguish between legitimate users and malicious bots. Services like

can solve a lot of commercially available captchas, while AI tools enable sophisticated scripts to interact with web pages in ways that mimic human behavior or even solve captchas as well.

While the response was increasing captcha challenge complexity, these often frustrate legitimate users without effectively stopping determined attackers. The escalating arms race between security measures and bypass techniques has led many to seek alternative approaches.

Google’s captcha implementation is interesting: they employ a custom JavaScript virtual machine to obfuscate their captcha logic. Instead of shipping readable JavaScript code, they send bytecode that executes within a custom VM. This technique hides the actual implementation behind a layer of abstraction, making reverse engineering significantly more challenging.

The concept of building a VM excited me enough to try building something similar. What started as a “proof of concept” experiment quickly evolved into a multi-month project.

A JavaScript virtual machine for obfuscation works by replacing standard JavaScript with custom bytecode. Instead of sending readable code to the browser, you ship low-level instructions that only your custom VM can execute. Each high-level operation might require multiple VM instructions, similar to how a single line of C code translates to multiple assembly instructions.

This approach creates several layers of protection. First, attackers must understand how the VM interprets bytecode, which is heavily obfuscated. Second, they need to reverse-engineer the instruction set. Finally, they must map low-level operations back to high-level logic. It’s like trying to understand a program by reading assembly code, except this language and its runtime are entirely custom and undocumented.

GLOBAL R0 // Load globalThis object into register R0

GET R0, R0, "Date" // Access the Date property from globalThis

EXEC R1, R0, "now" // Invoke the now method from Date object

This low-level approach increases the complexity of reverse-engineering efforts, as attackers must decipher multiple instructions to understand even basic functionality.

At its core, MirageVM is a state machine that reads and executes bytecode instructions. The implementation follows traditional CPU architecture patterns, featuring registers for data storage and a stack for managing function calls and local variables.

The VM maintains its state through several core components:

: Array of bytecode instructions loaded into the VM

More Details

There are a few more points worth noting. First, browser compatibility varies across different browsers. Second, performance optimization is crucial when handling large amounts of data. Finally, key management is also an important consideration.

That's all for this comprehensive guide. I hope you found it helpful! Feel free to leave comments if you have questions.

Reference: Building MirageVM: A JavaScript Virtual Machine for Code ...

While working on frontend security projects, I encountered Guide: - here's what I learned.

Ready to learn more? Subscribe to our newsletter for weekly tutorials and tips.

正文

# Guide: How to Obfuscate Javascript Code. Obfuscating client side JavaScript code is an essential step in safeguarding your application from these threats. By transforming the code into a less human-readable form, obfuscation makes it significantly more difficult for attackers to analyze, tamper with, or exploit. JavaScript obfuscation is the process of transforming client-side JavaScript code into a format that is difficult for humans to understand while still being executable by browsers. Obf

In modern web development, Guide: has become increasingly important. Developers need to understand the security implications and best practices.

When implementing Guide:, there are several key considerations. First, performance optimization is crucial. Second, security must be addressed at every layer.

Many developers overlook the importance of proper error handling and debugging techniques.

The ecosystem around Guide: continues to evolve rapidly. New libraries and frameworks emerge regularly.

Testing is another critical aspect that shouldn't be neglected.

More Details

There are a few more points worth noting. First, browser compatibility varies across different browsers. Second, performance optimization is crucial when handling large amounts of data. Finally, key management is also an important consideration.

Due to length constraints, I'll wrap up here. More practical examples coming soon. Leave a comment if you have questions!

Reference: Guide: How to Obfuscate Javascript Code - Digital.ai

There's been a lot of discussion about The in developer communities lately, so I wanted to share my perspective.

Found this helpful? Share it with your team and leave a comment below!

正文

Modern security in a single platform. Secure your code as it's written. Fix and secure AI-generated code. # The security concerns of a JavaScript sandbox with the Node.js VM module. You might think building it on-top of Node.js VM module is a viable way to create a JavaScript sandbox. ## The Node.js VM module. At first, this might trigger you to the `eval` JavaScript function, which is a known security risk, but is the Node.js VM module safer? In the above code snippet, user originated input of

In modern web development, The has become increasingly important. Developers need to understand the security implications and best practices.

When implementing The, there are several key considerations. First, performance optimization is crucial. Second, security must be addressed at every layer.

Many developers overlook the importance of proper error handling and debugging techniques.

The ecosystem around The continues to evolve rapidly. New libraries and frameworks emerge regularly.

Testing is another critical aspect that shouldn't be neglected.

More Details

There are a few more points worth noting. First, browser compatibility varies across different browsers. Second, performance optimization is crucial when handling large amounts of data. Finally, key management is also an important consideration.

This article was first published on JSVMP Blog. Reposting with attribution is welcome.

Reference: The security concerns of a JavaScript sandbox with the Node.js VM module | Snyk

There's been a lot of discussion about [AskJS] in developer communities lately, so I wanted to share my perspective.

Want to learn advanced techniques? Check out our premium courses.

正文

Frontend code runs on the user device and can never be trusted. Everything important needs to be done on the server side, be it authentication,

In modern web development, [AskJS] has become increasingly important. Developers need to understand the security implications and best practices.

When implementing [AskJS], there are several key considerations. First, performance optimization is crucial. Second, security must be addressed at every layer.

Many developers overlook the importance of proper error handling and debugging techniques.

The ecosystem around [AskJS] continues to evolve rapidly. New libraries and frameworks emerge regularly.

Testing is another critical aspect that shouldn't be neglected.

More Details

There are a few more points worth noting. First, browser compatibility varies across different browsers. Second, performance optimization is crucial when handling large amounts of data. Finally, key management is also an important consideration.

That's all for this comprehensive guide. I hope you found it helpful! Feel free to leave comments if you have questions.

Reference: [AskJS] Why is there a reputation that JavaScript isn't "secure" for ...

最近在写项目的时候正好涉及到Jscrambler，顺手整理了一下相关资料。

Want to learn advanced techniques? Check out our premium courses.

正文

# Jscrambler 101 -反调试。欢迎回到Jscrambler 101 ！关于如何使用Jscrambler保护JavaScript的一系列教程。本教程是关于* *反调试转换* * ，涵盖Jscrambler 8.3版。我们将探索Anti-Debugging ，这是8.3版发布的新Jscrambler功能。反调试功能通过激活阻止任何反向工程尝试的防御措施，使攻击者更难调试应用程序，从而保护您的应用程序。# # * * A

在现代Web开发中，Jscrambler变得越来越重要。开发者需要了解相关的安全 implications 和最佳实践。

实现Jscrambler时，有几个关键考虑因素。首先是性能优化——复杂的计算可能会阻塞主线程，影响用户体验。其次是安全性，必须在应用的每一层都考虑到。

许多开发者忽视了适当的错误处理和调试技术的重要性。浏览器开发者工具、日志框架和监控服务可以显著改善开发流程。

Jscrambler相关的生态系统发展迅速。新库和新框架 regularly 出现，每个都有各自解决常见问题的方法。

测试是另一个关键方面，不容忽视。自动化测试、代码审查和安全审计有助于确保代码库的质量和可靠性。

更多内容

除了上面提到的内容，还有几个点值得注意。首先是浏览器的兼容性，不同浏览器对Web Crypto API的支持程度有所不同。其次是性能问题，加密操作在大量数据时可能会影响用户体验。最后是密钥管理，如何安全地存储和传输密钥也是一个需要考虑的问题。

以上就是关于这个话题的完整分享，希望能对大家有所帮助。如果还有其他问题，欢迎在评论区留言讨论。

Reference: Jscrambler 101 - Anti-Debugging | Stop Reverse Engineering

关于jsvmp编译与反编译详解(1)——实现一个简单的jsvmp，网上资料比较零散，这里做个相对完整的总结。

Found this helpful? Share it with your team and leave a comment below!

正文

目前，主流的JavaScript代码保护措施主要包括精简、加密和混淆。这些方法的核心思想主要借鉴了传统的软件代码保护技术。然而，由于JavaScript是一种脚本语言，其在传输过程中以带有语法属性的文本源码形式存在，逆向分析比传统的编译后的二进制应用程序更加容易。再加上浏览器性能的提升和调试器功能的日益完善，这些保护方法难以提供有效的保护。

jsvmp（JavaScript Virtual Machine Protection）是一种用于保护JavaScript代码的技术，类似于我们平常看到的代码混淆。但不同的是，它通过将JavaScript代码转换为一种虚拟机指令集来实现代码混淆和保护，具体的执行逻辑由vmp虚拟机来执行，这样可以防止代码被轻易地反编译和理解，从而提高代码的安全性。 对于普通的javascript代码来说，执行逻辑是这样的：

JavaScript代码 -> 词法分析/语法分析 -> 生成AST语法树 -> 生成js指令-> js引擎执行代码

而对于经过vmp混淆后的代码，执行逻辑是这样的，中间多了这么一段： 将AST转换为vmp指令集 -> 加载进vmp虚拟机

在vmp混淆的代码流程中，防护者实现了一个虚拟机来解释和执行这些指令集，并对对虚拟机和指令集进行混淆，这种工作类似于将高级语言编译为汇编的过程，因此，对混淆代直接人肉分析几乎是不可能的

wasm有一个致命的弱点，即wasm和js运行时的环境是隔离的，本身无法直接访问js对象的属性，只能以模块的方式导入导出，这个就决定了它在收集环境参数上受限很大。2020年就有使用wasm的网站，几年过去后，也并未出现大的发展。其次，wasm在执行时必须借助js实现对属性的操作部分，这样频繁的在wasm和js之间交互肯定会带来性能的影响，降低执行效率。同时还需要附带大量代码负责维护两个模块的通信，这势必会带来新的空间开销。

此外，目前可以发现，国内各大厂商的vmp实现几乎天差地别，难以出现通用的反混淆方案，jsvmp的虚拟机设计可以灵活地适应不同的保护需求，相比ast混淆的方式，能够提供更高的安全性，现在对于js混淆来说，已经有了成熟的解混淆方案。尽管在性能上可能会有一定的开销，但在保护代码安全性方面，jsvmp无疑是一个强有力的工具。

return ('undefined' = = typeof window? global: window) ['_$ webrt_1668687510'] ('484e4f4a403f5243002c210c79d545fd138caff600000000000007561b000b180201fe19203e17000e1b000b180201ff0202000d1b00131e00061a002248001d00a922201d0201220a00001d0202220a00001d020322121d01e222121d01fe220200001d01ff22121d020422131e00061a00224805483c2a1d02052248021d011f224805483c2a1d011d1d011c220200001d01f322201d02062248031d02071d00911b000b02221e0126241b000b191b000b180a0002101c1b000b191e00a948003e22011700201c1b000b03221e0108241b0

，字节通过实现了一个虚拟机，来执行这段指令序列。原始代码被转换为虚拟机指令集，虚拟机在运行时解释和执行指令，使得静态分析工具难以有效地分析代码。并且jsvmp会对虚拟机和指令集进行混淆，使得代码难以阅读和理解。虚拟机通常会实现一个栈来存储操作数和中间结果，整个执行流程类似cpu对机器码的处理。

以python为例，我们将如下代码进行编译，就得到python字节码，可以看到每个数字都代表了不同的操作，将python编译为字节码，并交由解释器去执行，就是python执行的过程

我们可以通过实现一个jsvmp来更好的理解原理，例如，我们定义一个简单的js函数，这个函数只有将两个参数相加并返回的功能：

编译为汇编代码了。我们省略了一些步骤，这中间要经过我们最熟悉的词法分析语法分析器先转换为ast，然后再经过我们的编译器转换为汇编代码

为了将这个虚拟机指令集编译为字节码，我们需要为每个操作码（op）和参数（arg）分配一个唯一的字节表示，首先定义操作码的字节值

bytecode.push (instr.arg.charCodeAt (0));// 将参数转换为字节表示

然后我们再实现一个虚拟机来执行指令，可以看到，到这一步我们的代码逻辑已经和javascript引擎几乎毫无联系了

更多内容

除了上面提到的内容，还有几个点值得注意。首先是浏览器的兼容性，不同浏览器对Web Crypto API的支持程度有所不同。其次是性能问题，加密操作在大量数据时可能会影响用户体验。最后是密钥管理，如何安全地存储和传输密钥也是一个需要考虑的问题。

本文首发于JSVMP博客，转载注明出处。后续会持续更新更多相关内容。

Reference: jsvmp编译与反编译详解(1)——实现一个简单的jsvmp - dream的小站

While working on frontend security projects, I encountered security - here's what I learned.

Have questions? Feel free to ask in the comments section below.

正文

### your communities. ### more stack exchange communities. Communities for your favorite technologies. Stack Overflow for Teams is now called **Stack Internal**. ##### Collectives™ on Stack Overflow. Is there value in scanning front-end JavaScript code for vulnerabilities with a SAST tool? My point here is: even the most secure code can be easily changed from the client, if the client wants to make your front-end upside down, they can. And everything accessible from the front-end, the client its

In modern web development, security has become increasingly important. Developers need to understand the security implications and best practices.

When implementing security, there are several key considerations. First, performance optimization is crucial. Second, security must be addressed at every layer.

Many developers overlook the importance of proper error handling and debugging techniques.

The ecosystem around security continues to evolve rapidly. New libraries and frameworks emerge regularly.

Testing is another critical aspect that shouldn't be neglected.

More Details

There are a few more points worth noting. First, browser compatibility varies across different browsers. Second, performance optimization is crucial when handling large amounts of data. Finally, key management is also an important consideration.

If you found this useful, please like and share! Follow for more content on this topic.

Reference: security - Should we check front-end JavaScript code for vulnerabilities? - Stack Overflow

I've had several readers ask me about Obfuscate recently, so I decided to write a comprehensive article about it.

Have questions? Feel free to ask in the comments section below.

正文

I am very curious how effective obfuscation would be in a WASM binary, for example could it be possible to create a client side Auth system (yeah I know it's triggering), but can you realistically decompile, have you done it, I guess I'm saying is WASM a place to hide?

Templates let you quickly answer FAQs or store snippets for re-use.

Just use cloudflare worker you have 100K requests free per month and it enables you to process data within JavaScript code... I used it to bypass the need to hide a key into the DeepAI.org services within

How’s it going, I'm a Adam, a Full-Stack Engineer, actively searching for work. I'm all about JavaScript. And Frontend but don't let that fool you - I've also got some serious Backend skills.

11 plus years* active enterprise development experience and a Fine art degree 🎨

What the heck is this it sounds like it's worth a read about 😁

Yeah the author may want to hide API keys in the client side, but that is technically not recommended, instead and I mislead the numbers, you can bypass CORS+ HIDE API KEYS in workers on CLOUDFLARES&CO with 100K request a day

How’s it going, I'm a Adam, a Full-Stack Engineer, actively searching for work. I'm all about JavaScript. And Frontend but don't let that fool you - I've also got some serious Backend skills.

11 plus years* active enterprise development experience and a Fine art degree 🎨

How’s it going, I'm a Adam, a Full-Stack Engineer, actively searching for work. I'm all about JavaScript. And Frontend but don't let that fool you - I've also got some serious Backend skills.

11 plus years* active enterprise development experience and a Fine art degree 🎨

Both awesome Ben's I agree with you both. It's just I had this idea yesterday, because of what I do, working with IAM and also UI, I wondered if the next identity access management software could run at the (trendy word alert) 'edge' client but I think we all know that's a terrifying idea 💡, but I do want to know, is it possible to securely do this. I was thinking about WASM as a sort of container I guess.

These days I do more software architecture and whatnot, and promote UX and accessibility.

Anything obfuscated can be de-obfuscated, so it's not providing any security, but it

making the web - which is supposed to be open and readable - into a worse place.

More Details

There are a few more points worth noting. First, browser compatibility varies across different browsers. Second, performance optimization is crucial when handling large amounts of data. Finally, key management is also an important consideration.

This article was first published on JSVMP Blog. Reposting with attribution is welcome.

Reference: Obfuscate client side with WASM - DEV Community

关于Javascript，网上资料比较零散，这里做个相对完整的总结。

Found this helpful? Share it with your team and leave a comment below!

正文

很久以前，我曾经写过6502汇编代码。我喜欢它......如何将JavaScript文件包含在另一个JavaScript文件中？

在现代Web开发中，Javascript变得越来越重要。开发者需要了解相关的安全 implications 和最佳实践。

实现Javascript时，有几个关键考虑因素。首先是性能优化——复杂的计算可能会阻塞主线程，影响用户体验。其次是安全性，必须在应用的每一层都考虑到。

许多开发者忽视了适当的错误处理和调试技术的重要性。浏览器开发者工具、日志框架和监控服务可以显著改善开发流程。

Javascript相关的生态系统发展迅速。新库和新框架 regularly 出现，每个都有各自解决常见问题的方法。

测试是另一个关键方面，不容忽视。自动化测试、代码审查和安全审计有助于确保代码库的质量和可靠性。

更多内容

除了上面提到的内容，还有几个点值得注意。首先是浏览器的兼容性，不同浏览器对Web Crypto API的支持程度有所不同。其次是性能问题，加密操作在大量数据时可能会影响用户体验。最后是密钥管理，如何安全地存储和传输密钥也是一个需要考虑的问题。

有问题欢迎评论区交流，看到会第一时间回复大家一起讨论。

Reference: Javascript VM/Emulator? [closed] - virtualization - Stack Overflow

关于patriksimek/vm2:，网上资料比较零散，这里做个相对完整的总结。

Ready to learn more? Subscribe to our newsletter for weekly tutorials and tips.

正文

vm2是一个沙盒，可以使用白名单节点的内置模块运行不受信任的代码。重要安全免责声明

在使用vm2之前，您应该了解它的工作原理及其局限性。

作为您的应用程序。它通过复杂的网络来实现这一点，

拦截和调解沙箱和主机环境之间的每次交互。

JavaScript是一种非常动态的语言。对象可以通过原型链访问，构造函数可以通过错误对象访问，符号提供协议挂钩，异步执行创建计时窗口。在JavaScript中从一个对象到另一个对象的遍历方式非常多，这使得构建一个密封的进程内沙箱非常困难。

尽管我们尽了最大努力，研究人员和安全专业人员仍在不断发现逃离vm2沙箱的新方法。我们在报告这些漏洞时会积极修补这些漏洞，但进程内沙盒的猫和老鼠本质意味着：

对于已知漏洞，未来可能会发现新的绕过。

从最新的安全修补程序中获益。订阅安全公告并及时更新。

运行不受信任的代码时，深入防御至关重要。

如果您需要更强的隔离保证，请考虑这些替代方案，

IPC开销较高；数据必须序列化Docker、gVisor、Firecracker

基于云的代码执行（例如， AWS Lambda、Cloudflare Workers ）

您需要与主机对象的紧密集成和快速的同步通信

不受信任的代码来自相对受信任的来源（例如，内部工具，具有经过审核的作者的插件系统）

将vm2与其他安全层（网络隔离、文件系统限制、资源限制）相结合

更多内容

除了上面提到的内容，还有几个点值得注意。首先是浏览器的兼容性，不同浏览器对Web Crypto API的支持程度有所不同。其次是性能问题，加密操作在大量数据时可能会影响用户体验。最后是密钥管理，如何安全地存储和传输密钥也是一个需要考虑的问题。

篇幅原因就先写这么多，后面有空会再补充更多实战案例。有问题评论区见。

Reference: patriksimek/vm2: Advanced vm/sandbox for Node.js - GitHub