0

i have a bunch of websites of mine that need to call an external server asking for some data. This server contains sensible information such as discount codes that need to be applied on the website, based on what the user is doing.

Since i can't do a synchronous ajax call on users' actions (deprecated and bad practice), i'm doing it async everytime a user loads the page on these websites. The call retrieves all the possible discount codes but i'd like people not being able to decode it and get them for free. The server creates a json array and encodes it as base64, then the JS in the user browser will decode it (atob() function) giving me the json i needed to work with.

I'd like to apply an encryption to this like an algorithm for letters swapping or something. This means that even if the user reads my json result is not going to be able to read it BUT he could read it when my JS code tries to decode it (pausing with the debugger).

So my question is: could javascript obfuscation solve my issue? My JS would contain the algorithm to take my string back to its original form but the whole code is obfuscated therefore debugger won't work. Is that a safe approach to the matter? If not, how could i do it safely?

Summing it up, the system works like this:

1.User loads page in website

2.JSONP AJAX call asks all the available discount codes from my server

3.Server gets the list, makes a JSON of it and returns a base64 string of this json

4.Client gets this and when he clicks on something particular i decode the json and apply the correct discount based on calculations.

I hope it's clear enough for you to give some suggestions :)

thanks!

Improve this question
4
  • base64 is easily decoded. Use a different approach. Give them a code that can be checked by the Server that can only be used once. By the way, since the Client has access to your JavaScript functions they can just use them. Use SSL to protect the Clients' information. You can use PHP's uniqid with some additional concatenation to create promo codes for your database. Commented Feb 12, 2018 at 9:33
  • i'm using SSL. How can the client call my js functions if they're obfuscated? He would not know what is callable or not. Can you stop with a debugger an obfuscated JS function? Commented Feb 12, 2018 at 9:36
  • “Can you stop with a debugger an obfuscated JS function?” - of course you can ... obfuscated only means that identifiers such as function and variable names get replaced with something less readable to humans, but it changes absolutely nothing about how the browser executes that code. Commented Feb 12, 2018 at 9:54
  • as mentioned below, i tried but could not get anything useful out of it. If i had to steal variable contents like this, i would be lost and i'd give up. Is there a way to get around this "more easily"? I just need to know if it's "hard enough" to make people desist. Actually i'm pretty sure people don't even know what i'm doing there and applying discount in the first place. Commented Feb 12, 2018 at 9:57

1 Answer 1

Reset to default
1

If you make your decryption on the Client machine, then there is no way of making it secure. You could apply obfuscation, or other means of hiding your process, but ultimately there is a point in the code which makes the decryption, and is available to the client. You should not do that on the client side.

You could maybe do this:

  1. Website loads
  2. It sends request for promo codes, along with the user details.
  3. You send only data that is available for that user.

In this way you do not need to encrypt anything, but it will involve some rethinking and change to server side logic.

There is maybe another solution, which is hacky, and also requires server change. Send the codes as you already send them, but send them incomplete. Maybe remove last 2 or more digits. Then the user requests to activate promotion, and sends the incomplete code. Then you look in your table code that starts (like '%'), and create the working code on the server side.

Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

unfortunately i can't do this way since i only know what discount to apply in the same moment he clicks on "buy" (i look at what you're buying..size, color, shape etc). And at this point i can't make a sychronous ajax call, it needs to do it sequentially and instantly. How can someone stop my decoding process if code is obfuscated? i could not do it
I have added another potential solution to your issue.
thanks for the second version. that can't work either since i have no access to the database of these websites. I can just put a discount code, then the ecommerce platform applies it.
You could make some sort of middle service :)
atob() and btoa() functions can't be obfuscated, they are called as they are. That is your problem.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.