This article is the Part-6 Article of my series Hack Proof your asp.net and asp.net mvc applications.
You can read previous article of this series from below links :
- Secure your ASP.NET applications from SQL Injection
- Secure your ASP.NET applications from XSS Attack
- Secure your ASP.NET applications from CSRF Attack
- Secure your ASP.NET applications from Sensitive Data Exposure and Information Leakage
- Secure your ASP.NET applications from Session Hijacking
Obfuscation is the process which involves the process to convert your code to a equivalent or specific format such that it becomes difficult to understand and difficult to reverse engineering.
Minification is the process to remove the unnecessary spaces from a file where as obfuscation is the process to make code difficult to understand.
Above picture is from my article : Tips and Tricks for Faster Asp.NET and Asp.net MVC applications
Why we need Obfuscation
Code obfuscation scrambles the symbols, code of a program, rendering it diificult to understand while at the same time preserving the program's functionality.
Benefits of Obfuscation
- Protection of intellectual property(Your own written code)
- Reduced security threats(By Pervention of the code exposure in a descriptive manner)
- Reduced size of the file(Minification and shorten the variables name)
- No network delays
- Visual Studio 2010 , 2012 , 2013
- Asp.Net framework 4 and 4.5 and above (whenever will come)
- Obviously a ASP.NET and ASP.NET MVC application
in my case i am using VS 2012 and asp.net framework 4.5.
Step 1: Install Bundle Transformer nuget package
Using package manager console install this Bundle Transformer.
Go To Tools > Library package manager > Package manager console
BundleTransformer contains many minifiers , but we are here going to cover only Uglify to achieve Obfuscation.For more details about BundleTrasformer Minifiers , Translators and Postprocessors visit https://bundletransformer.codeplex.com/.
Step 3 : Do the Web.Config Setting for uglify
When you installed the bundletransformer its automatically have created a node <bundleTransformer> .Under this node add the following configuration code for uglify.
<js screwIe8="false" severity="0">
<parsing strict="false" />
<compression compress="true" sequences="true" propertiesDotNotation="true"
deadCode="true" dropDebugger="true" unsafe="false"
conditionals="true" comparisons="true" evaluate="true"
booleans="true" loops="true" unused="true"
hoistFunctions="true" keepFunctionArgs="false" hoistVars="false"
ifReturn="true" joinVars="true" cascade="true"
globalDefinitions="" pureGetters="false" pureFunctions=""
dropConsole="false" angular="false" />
<mangling mangle="true" except="" eval="false"
sort="false" topLevel="false" />
<codeGeneration beautify="false" indentLevel="4" indentStart="0"
quoteKeys="false" spaceColon="true" asciiOnly="false"
inlineScript="false" width="80" maxLineLength="32000"
<jsEngine name="MsieJsEngine" />
Step 4 - Modify the BundleConfig
When you create a new web form application or MVC application , asp.net framework 4.5 templates automatically create a folder App_Start for code that runs on application startup.
Folder App_Start > BundleConfig
1. Add following namespaces
2. Initialize Script and Style transformer , nullbuilder and nullorder class
bundles.UseCdn = true;
var nullBuilder = new NullBuilder();
var styleTransformer = new StyleTransformer();
var scriptTransformer = new ScriptTransformer();
var nullOrderer = new NullOrderer();
3. create your own ScriptBundle to which you want to Obfuscate
var scriptbundleToObfuscate = new Bundle("~/bundles/WebFormsJs");
scriptbundleToObfuscate.Builder = nullBuilder;
scriptbundleToObfuscate.Orderer = nullOrderer;
For Demo purpose i am using the WebForms.js and the bundle for the same which is created by VisualStudio Automatically.
4. Enableoptimization True to see the result.
BundleTable.EnableOptimizations = true;
Make it false at the time of development so it will not bundle , minify and obfuscate the JS files.Never forget to make it True before publishing the application.
Final Step : Include the bundle in your application and See the results:
Asp.Net Web forms :
<%: Scripts.Render("~/bundles/WebFormsJs") %>
Asp.Net MVC :
Before Obfuscation :
After Obfuscation :
References and further readings: