I've had several readers ask me about Security recently, so I decided to write a comprehensive article about it.

Ready to learn more? Subscribe to our newsletter for weekly tutorials and tips.

正文

# The Most Effective Way to Protect Client-Side JavaScript Applications. JavaScript running on client-side devices creates security vulnerabilities that can be exploited for code injection, reverse engineering, and data exposure. This risk is accelerating with the rise of AI-assisted development and “vibe coding,” where code is generated and deployed faster than it can be fully vetted, often increasing the attack surface. However, in the light of modern threats, client-side JavaScript security i

In modern web development, Security has become increasingly important. Developers need to understand the security implications and best practices.

When implementing Security, there are several key considerations. First, performance optimization is crucial. Second, security must be addressed at every layer.

Many developers overlook the importance of proper error handling and debugging techniques.

The ecosystem around Security continues to evolve rapidly. New libraries and frameworks emerge regularly.

Testing is another critical aspect that shouldn't be neglected.

More Details

There are a few more points worth noting. First, browser compatibility varies across different browsers. Second, performance optimization is crucial when handling large amounts of data. Finally, key management is also an important consideration.

Due to length constraints, I'll wrap up here. More practical examples coming soon. Leave a comment if you have questions!

Reference: Security Tips to Protect Client-Side JavaScript Applications | Jscrambler

There's been a lot of discussion about Secure in developer communities lately, so I wanted to share my perspective.

Ready to learn more? Subscribe to our newsletter for weekly tutorials and tips.

正文

Integrated SaaS Application Security and Risk Management platform.

Agentic Application Security for AI-Powered software development. Defensics Protocol Fuzzing Software Risk Manager ASPM Open Source & Security Audits Program Strategy & Planning Implementation & Deployment Customer Success & Support

ContextAI™: The model for building secure software.

ContextAI™: The model for building secure software.

Introducing Black Duck Signal™: Security at the speed of AI

BSIMM16: Key trends and activities for you to benchmark your own program Application Security Testing

Software Supply Chain Security Manage Enterprise AppSec Risk

Software Composition Analysis (SCA) Interactive Analysis (IAST)

Introducing Black Duck Signal™: Security at the speed of AI

Navigating the EU Cyber Resilience Act Cybersecurity Research Center

Learn why Black Duck is a Leader for the eighth year in a row

See why Black Duck is a Leader Cybersecurity Research Center

Learn why Black Duck is a Leader for the eighth year in a row

Introducing Black Duck Signal™: Security at the speed of AI

More Details

There are a few more points worth noting. First, browser compatibility varies across different browsers. Second, performance optimization is crucial when handling large amounts of data. Finally, key management is also an important consideration.

This article was first published on JSVMP Blog. Reposting with attribution is welcome.

Reference: Secure Coding With JavaScript: Best Practices Guide | Black Duck Blog

关于[AskJS]，网上资料比较零散，这里做个相对完整的总结。

Want to learn advanced techniques? Check out our premium courses.

正文

前端代码在用户设备上运行，永远不可信。所有重要的事情都需要在服务器端完成，无论是身份验证，

在现代Web开发中，[AskJS]变得越来越重要。开发者需要了解相关的安全 implications 和最佳实践。

实现[AskJS]时，有几个关键考虑因素。首先是性能优化——复杂的计算可能会阻塞主线程，影响用户体验。其次是安全性，必须在应用的每一层都考虑到。

许多开发者忽视了适当的错误处理和调试技术的重要性。浏览器开发者工具、日志框架和监控服务可以显著改善开发流程。

[AskJS]相关的生态系统发展迅速。新库和新框架 regularly 出现，每个都有各自解决常见问题的方法。

测试是另一个关键方面，不容忽视。自动化测试、代码审查和安全审计有助于确保代码库的质量和可靠性。

更多内容

除了上面提到的内容，还有几个点值得注意。首先是浏览器的兼容性，不同浏览器对Web Crypto API的支持程度有所不同。其次是性能问题，加密操作在大量数据时可能会影响用户体验。最后是密钥管理，如何安全地存储和传输密钥也是一个需要考虑的问题。

码字不易，觉得有帮助的话点个赞再走~ 如果想了解更多相关内容，可以关注我的博客后续更新。

Reference: [AskJS] Why is there a reputation that JavaScript isn't "secure" for ...

最近在写项目的时候正好涉及到Secure，顺手整理了一下相关资料。

Want to learn advanced techniques? Check out our premium courses.

正文

集成的SaaS应用程序安全和风险管理平台。

适用于人工智能软件开发的代理应用程序安全。Defensics协议模糊软件风险经理ASPM开源和安全审计计划战略和规划实施和部署客户成功和支持

ContextAI™ ：构建安全软件的模型。

ContextAI™ ：构建安全软件的模型。

推出Black Duck Signal™ ：人工智能速度下的安全性

BSIMM16 ：对您自己的程序进行基准测试的关键趋势和活动应用程序安全测试

软件供应链安全管理企业AppSec风险

软件组成分析（ SCA ）交互式分析（ IAST ）

应用安全态势管理(ASPM) DevSecOps的全球状态

推出Black Duck Signal™ ：人工智能速度下的安全性

浏览欧盟网络弹性法案网络安全研究中心

了解Black Duck连续第八年成为领导者的原因

了解Black Duck为何连续第八年成为网络安全研究中心的领导者

了解Black Duck连续第八年成为领导者的原因

推出Black Duck Signal™ ：人工智能速度下的安全性

更多内容

除了上面提到的内容，还有几个点值得注意。首先是浏览器的兼容性，不同浏览器对Web Crypto API的支持程度有所不同。其次是性能问题，加密操作在大量数据时可能会影响用户体验。最后是密钥管理，如何安全地存储和传输密钥也是一个需要考虑的问题。

篇幅原因就先写这么多，后面有空会再补充更多实战案例。有问题评论区见。

Reference: Secure Coding With JavaScript: Best Practices Guide | Black Duck Blog

I've had several readers ask me about Jscrambler recently, so I decided to write a comprehensive article about it.

Ready to learn more? Subscribe to our newsletter for weekly tutorials and tips.

正文

# Jscrambler 101 - Anti-Debugging. Welcome back to Jscrambler 101! A collection of tutorials on how to use Jscrambler to protect your JavaScript. This tutorial is about the **Anti-Debugging transformation** and covers Jscrambler version 8.3. We will explore Anti-Debugging, a new Jscrambler feature released in version 8.3. The Anti-Debugging feature protects your application by making it harder for attackers to debug an app by activating defenses that stop any reverse engineering attempts. ## **A

In modern web development, Jscrambler has become increasingly important. Developers need to understand the security implications and best practices.

When implementing Jscrambler, there are several key considerations. First, performance optimization is crucial. Second, security must be addressed at every layer.

Many developers overlook the importance of proper error handling and debugging techniques.

The ecosystem around Jscrambler continues to evolve rapidly. New libraries and frameworks emerge regularly.

Testing is another critical aspect that shouldn't be neglected.

More Details

There are a few more points worth noting. First, browser compatibility varies across different browsers. Second, performance optimization is crucial when handling large amounts of data. Finally, key management is also an important consideration.

This article was first published on JSVMP Blog. Reposting with attribution is welcome.

Reference: Jscrambler 101 - Anti-Debugging | Stop Reverse Engineering

在做前端安全相关需求时，VM这个问题绕不开，刚好把踩坑经验分享一下。

Found this helpful? Share it with your team and leave a comment below!

正文

从LLM分析隐藏函数名称诊断虚拟机运行时错误

虚拟机混淆是最先进的代码保护形式。它将JavaScript函数转换为在输出中嵌入的虚拟机上运行的自定义字节码。原始逻辑被完全隐藏-没有JavaScript进行反向工程。

如果您遇到虚拟机混淆的任何问题，请将其报告给诊断虚拟机运行时错误请参阅之前和之后的示例

有选择地只对敏感功能进行虚拟机混淆，以获得最佳性能。

为什么直接eval ()禁用虚拟机混淆，以及如何避免陷阱。

声明严格模式，以便虚拟机编译正确的字节码。

虚拟机运行时的篡改检测、防挂钩和防代理保护。

虚拟机保持可见与隐藏的内容，以及如何保护函数名称。

通过npm包从构建管道应用虚拟机混淆。

更多内容

除了上面提到的内容，还有几个点值得注意。首先是浏览器的兼容性，不同浏览器对Web Crypto API的支持程度有所不同。其次是性能问题，加密操作在大量数据时可能会影响用户体验。最后是密钥管理，如何安全地存储和传输密钥也是一个需要考虑的问题。

以上就是关于这个话题的完整分享，希望能对大家有所帮助。如果还有其他问题，欢迎在评论区留言讨论。

Reference: VM Obfuscation | Obfuscator.io Documentation

项目中遇到了Building的需求，查阅了不少资料，给大家分享下我的方案。

Have questions? Feel free to ask in the comments section below.

正文

今天，我们将从头开始构建自己的JavaScript虚拟机。在本教程结束时，您将了解词汇分析，

在现代Web开发中，Building变得越来越重要。开发者需要了解相关的安全 implications 和最佳实践。

实现Building时，有几个关键考虑因素。首先是性能优化——复杂的计算可能会阻塞主线程，影响用户体验。其次是安全性，必须在应用的每一层都考虑到。

许多开发者忽视了适当的错误处理和调试技术的重要性。浏览器开发者工具、日志框架和监控服务可以显著改善开发流程。

Building相关的生态系统发展迅速。新库和新框架 regularly 出现，每个都有各自解决常见问题的方法。

测试是另一个关键方面，不容忽视。自动化测试、代码审查和安全审计有助于确保代码库的质量和可靠性。

更多内容

除了上面提到的内容，还有几个点值得注意。首先是浏览器的兼容性，不同浏览器对Web Crypto API的支持程度有所不同。其次是性能问题，加密操作在大量数据时可能会影响用户体验。最后是密钥管理，如何安全地存储和传输密钥也是一个需要考虑的问题。

有问题欢迎评论区交流，看到会第一时间回复大家一起讨论。

Reference: Building a JavaScript Virtual Machine from Scratch - Medium

关于weizman/awesome-javascript-anti-debugging，网上资料比较零散，这里做个相对完整的总结。

Want to learn advanced techniques? Check out our premium courses.

正文

Javascript反调试技术精选列表

谈到网络安全，有很多不同的方面。

讨论最多的方面是不同类型的安全漏洞，例如XSS、CSRF等。

另一方面， Javascript反调试是一个不够脱节的方面，但在网络安全领域的攻击和防御方面可能会产生很大的潜在影响。

贡献之前的回购-我们在这里遵循类似的指导方针！

什么是浏览器反调试？ Chromium Devtools视野镜(Scope)窗格

反调试技术允许攻击者在浏览器中执行时告知他们的恶意代码是否正在被检查。

我们的想法是使用浏览器提供的工具（在大多数情况下只是JavaScript ）来了解网站的源代码是否正在以任何方式被检查和/或调试，并根据结果采取不同的操作。

通常，攻击者使用这些技术来隐藏其恶意活动并保护其代码不被发现。

这意味着，攻击者可以使用反调试技术来保护他们的代码，当发现正在检查的代码时，阻止攻击而不是完成攻击。Chromium Devtools视野镜(Scope Pane) Chromium Shadow Root滥用

更多内容

除了上面提到的内容，还有几个点值得注意。首先是浏览器的兼容性，不同浏览器对Web Crypto API的支持程度有所不同。其次是性能问题，加密操作在大量数据时可能会影响用户体验。最后是密钥管理，如何安全地存储和传输密钥也是一个需要考虑的问题。

本文首发于JSVMP博客，转载注明出处。后续会持续更新更多相关内容。

Reference: weizman/awesome-javascript-anti-debugging - GitHub

Information about Akamai is scattered across the web, so I compiled this guide for reference.

Have questions? Feel free to ask in the comments section below.

正文

While conducting threat research on phishing evasion techniques, Akamai came across threat actors using obfuscation and encryption, making the malicious page harder to detect. In this blog, we'll review some of the most prevalent evasion and obfuscation techniques being used in the wild based on numerous phishing websites Akamai has been able to track over the last few months. Another technique we were able to see in the wild is a custom-made JavaScript function that executes XOR decryption for

In modern web development, Akamai has become increasingly important. Developers need to understand the security implications and best practices.

When implementing Akamai, there are several key considerations. First, performance optimization is crucial. Second, security must be addressed at every layer.

Many developers overlook the importance of proper error handling and debugging techniques.

The ecosystem around Akamai continues to evolve rapidly. New libraries and frameworks emerge regularly.

Testing is another critical aspect that shouldn't be neglected.

More Details

There are a few more points worth noting. First, browser compatibility varies across different browsers. Second, performance optimization is crucial when handling large amounts of data. Finally, key management is also an important consideration.

If you found this useful, please like and share! Follow for more content on this topic.

Reference: Akamai Blog | Catch Me if You Can—JavaScript Obfuscation

最近在写项目的时候正好涉及到How，顺手整理了一下相关资料。

Found this helpful? Share it with your team and leave a comment below!

正文

JavaScript (JS)是一种用于创建交互式网站的多功能语言，但它也易于查看，可以将代码的敏感部分暴露给任何人。

加密或混淆JavaScript是一种通过使代码更难理解或逆向工程来为您的网站添加保护层的方法。

以下是关于为什么以及如何有效地加密JavaScript代码的分步指南，以及如何使用

JavaScript加密主要是为了保护敏感逻辑和保护数据免受未经授权的访问。加密JavaScript的一些常见原因包括：

保护知识产权：如果您的JavaScript包含独特的算法或专有函数，加密会使其他人更难理解和重复使用。

增强安全性：敏感数据或安全机制（例如，客户端表单验证或身份验证数据）受益于加密。

防止数据抓取：如果您的应用程序容易被抓取或数据被盗，加密代码的关键部分可以阻止攻击者。

JavaScript加密通常涉及混淆或缩小，以及用于更强大保护的其他技术。以下是一些主要方法：

混淆是保护JavaScript代码的最常见方法之一。它更改变量名称，删除空格，并在不影响功能的情况下更改代码结构。混淆可能会使人类难以阅读代码，但会维护浏览器的功能。操作方法如下：

uglifyjs yourfile.js -o yourfile.min.js --compress --mangle

结果是一个具有更短变量名称和紧凑结构的文件，很难进行逆向工程。

缩小通过删除不必要的字符（如注释和空格）而不更改功能来减小JavaScript的大小。虽然不是加密本身，但缩小的代码更难阅读，因此提供了基本的保护层。

Terser在JavaScript压缩中很受欢迎，经常与Webpack等构建工具一起使用。

terser yourfile.js -o yourfile.min.js c.使用加密库

对于更敏感的数据，请考虑使用客户端加密库加密部分代码。这些库提供加密算法，如AES、RSA和SHA ，用于保护传输或存储中的数据。

更多内容

除了上面提到的内容，还有几个点值得注意。首先是浏览器的兼容性，不同浏览器对Web Crypto API的支持程度有所不同。其次是性能问题，加密操作在大量数据时可能会影响用户体验。最后是密钥管理，如何安全地存储和传输密钥也是一个需要考虑的问题。

有问题欢迎评论区交流，看到会第一时间回复大家一起讨论。

Reference: How to Encrypt JavaScript Code for Web Security - DEV Community

最近在写项目的时候正好涉及到JavaScript，顺手整理了一下相关资料。

Have questions? Feel free to ask in the comments section below.

正文

最常见的JavaScript漏洞包括跨站点脚本（ XSS ）、恶意代码、中间人攻击和利用Web应用程序源代码中的漏洞。在本文中，我们将介绍最常见的JavaScript漏洞，以及如何通过流行的现代安全方法和测试工具（例如审计和代码分析工具、JavaScript漏洞扫描程序等）来防止它们。最常见的JavaScript攻击媒介包括： execu

在现代Web开发中，JavaScript变得越来越重要。开发者需要了解相关的安全 implications 和最佳实践。

实现JavaScript时，有几个关键考虑因素。首先是性能优化——复杂的计算可能会阻塞主线程，影响用户体验。其次是安全性，必须在应用的每一层都考虑到。

许多开发者忽视了适当的错误处理和调试技术的重要性。浏览器开发者工具、日志框架和监控服务可以显著改善开发流程。

JavaScript相关的生态系统发展迅速。新库和新框架 regularly 出现，每个都有各自解决常见问题的方法。

测试是另一个关键方面，不容忽视。自动化测试、代码审查和安全审计有助于确保代码库的质量和可靠性。

更多内容

除了上面提到的内容，还有几个点值得注意。首先是浏览器的兼容性，不同浏览器对Web Crypto API的支持程度有所不同。其次是性能问题，加密操作在大量数据时可能会影响用户体验。最后是密钥管理，如何安全地存储和传输密钥也是一个需要考虑的问题。

以上就是关于这个话题的完整分享，希望能对大家有所帮助。如果还有其他问题，欢迎在评论区留言讨论。

Reference: JavaScript Security | JavaScript Vulnerabilities | Snyk

有读者私信问我Evading该怎么实现，今天正好有空写篇文章记录一下。

Have questions? Feel free to ask in the comments section below.

正文

作者和朋友Jordin设计了一种独特的方法，通过重命名调试器关键字，防止其触发。

在现代Web开发中，Evading变得越来越重要。开发者需要了解相关的安全 implications 和最佳实践。

实现Evading时，有几个关键考虑因素。首先是性能优化——复杂的计算可能会阻塞主线程，影响用户体验。其次是安全性，必须在应用的每一层都考虑到。

许多开发者忽视了适当的错误处理和调试技术的重要性。浏览器开发者工具、日志框架和监控服务可以显著改善开发流程。

Evading相关的生态系统发展迅速。新库和新框架 regularly 出现，每个都有各自解决常见问题的方法。

测试是另一个关键方面，不容忽视。自动化测试、代码审查和安全审计有助于确保代码库的质量和可靠性。

更多内容

除了上面提到的内容，还有几个点值得注意。首先是浏览器的兼容性，不同浏览器对Web Crypto API的支持程度有所不同。其次是性能问题，加密操作在大量数据时可能会影响用户体验。最后是密钥管理，如何安全地存储和传输密钥也是一个需要考虑的问题。

以上就是关于这个话题的完整分享，希望能对大家有所帮助。如果还有其他问题，欢迎在评论区留言讨论。

Reference: Evading JavaScript Anti-Debugging Techniques : r/programming

Recently I was working on a project involving Evading, and I thought it'd be helpful to share some insights.

Want to learn advanced techniques? Check out our premium courses.

正文

The author and a friend, Jordin, devised a unique approach by renaming the debugger keyword, preventing it from triggering.

In modern web development, Evading has become increasingly important. Developers need to understand the security implications and best practices.

When implementing Evading, there are several key considerations. First, performance optimization is crucial. Second, security must be addressed at every layer.

Many developers overlook the importance of proper error handling and debugging techniques.

The ecosystem around Evading continues to evolve rapidly. New libraries and frameworks emerge regularly.

Testing is another critical aspect that shouldn't be neglected.

More Details

There are a few more points worth noting. First, browser compatibility varies across different browsers. Second, performance optimization is crucial when handling large amounts of data. Finally, key management is also an important consideration.

Due to length constraints, I'll wrap up here. More practical examples coming soon. Leave a comment if you have questions!

Reference: Evading JavaScript Anti-Debugging Techniques : r/programming

There's been a lot of discussion about What in developer communities lately, so I wanted to share my perspective.

Ready to learn more? Subscribe to our newsletter for weekly tutorials and tips.

正文

Use secure cookies for authentication keys. They're not accessible by JavaScript so a script injection attack can't steal them. Avoid any

In modern web development, What has become increasingly important. Developers need to understand the security implications and best practices.

When implementing What, there are several key considerations. First, performance optimization is crucial. Second, security must be addressed at every layer.

Many developers overlook the importance of proper error handling and debugging techniques.

The ecosystem around What continues to evolve rapidly. New libraries and frameworks emerge regularly.

Testing is another critical aspect that shouldn't be neglected.

More Details

There are a few more points worth noting. First, browser compatibility varies across different browsers. Second, performance optimization is crucial when handling large amounts of data. Finally, key management is also an important consideration.

If you found this useful, please like and share! Follow for more content on this topic.

Reference: What about security? : r/Frontend - Reddit