Is there a reason why legit web sites are using this type of obfuscation?

It's not obfuscated script. it's only minimized script for faster loading purposes.

These are some sample scripts.

Normal Script:

StackExchange.ready(function() {
    StackExchange.using("postValidation", function() {
        StackExchange.postValidation.initOnBlurAndSubmit($('#post-form'), 2, 'answer');
    });

    StackExchange.question.init({
        showAnswerHelp: true,
        totalCommentCount: 2,
        shownCommentCount: 2,
        highlightColor: '#F4A83D',
        backgroundColor: '#FFF',
        questionId: 128839
    });
    styleCode();
    StackExchange.realtime.subscribeToQuestion('162', '128839');
    StackExchange.using("gps", function() {
        StackExchange.gps.trackOutboundClicks('#content', '.post-text');
    });
});

Minimized Script:

StackExchange.ready(function(){StackExchange.using("postValidation",function(){StackExchange.postValidation.initOnBlurAndSubmit($('#post-form'),2,'answer')});StackExchange.question.init({showAnswerHelp:true,totalCommentCount:2,shownCommentCount:2,highlightColor:'#F4A83D',backgroundColor:'#FFF',questionId:128839});styleCode();StackExchange.realtime.subscribeToQuestion('162','128839');StackExchange.using("gps",function(){StackExchange.gps.trackOutboundClicks('#content','.post-text')})});

Obfuscated Script (using my self method):

var _0x1fc5 = ["\x30\x2E\x38\x28\x31\x28\x29\x7B\x30\x2E\x33\x28\x22\x34\x22\x2C\x31\x28\x29\x7B\x30\x2E\x34\x2E\x39\x28\x24\x28\x27\x23\x35\x2D\x61\x27\x29\x2C\x32\x2C\x27\x62\x27\x29\x7D\x29\x3B\x30\x2E\x63\x2E\x64\x28\x7B\x65\x3A\x66\x2C\x67\x3A\x32\x2C\x68\x3A\x32\x2C\x69\x3A\x27\x23\x6A\x27\x2C\x6B\x3A\x27\x23\x6C\x27\x2C\x6D\x3A\x36\x7D\x29\x3B\x6E\x28\x29\x3B\x30\x2E\x6F\x2E\x70\x28\x27\x71\x27\x2C\x27\x36\x27\x29\x3B\x30\x2E\x33\x28\x22\x37\x22\x2C\x31\x28\x29\x7B\x30\x2E\x37\x2E\x72\x28\x27\x23\x73\x27\x2C\x27\x2E\x35\x2D\x74\x27\x29\x7D\x29\x7D\x29\x3B", "\x7C", "\x73\x70\x6C\x69\x74", "\x53\x74\x61\x63\x6B\x45\x78\x63\x68\x61\x6E\x67\x65\x7C\x66\x75\x6E\x63\x74\x69\x6F\x6E\x7C\x7C\x75\x73\x69\x6E\x67\x7C\x70\x6F\x73\x74\x56\x61\x6C\x69\x64\x61\x74\x69\x6F\x6E\x7C\x70\x6F\x73\x74\x7C\x31\x32\x38\x38\x33\x39\x7C\x67\x70\x73\x7C\x72\x65\x61\x64\x79\x7C\x69\x6E\x69\x74\x4F\x6E\x42\x6C\x75\x72\x41\x6E\x64\x53\x75\x62\x6D\x69\x74\x7C\x66\x6F\x72\x6D\x7C\x61\x6E\x73\x77\x65\x72\x7C\x71\x75\x65\x73\x74\x69\x6F\x6E\x7C\x69\x6E\x69\x74\x7C\x73\x68\x6F\x77\x41\x6E\x73\x77\x65\x72\x48\x65\x6C\x70\x7C\x74\x72\x75\x65\x7C\x74\x6F\x74\x61\x6C\x43\x6F\x6D\x6D\x65\x6E\x74\x43\x6F\x75\x6E\x74\x7C\x73\x68\x6F\x77\x6E\x43\x6F\x6D\x6D\x65\x6E\x74\x43\x6F\x75\x6E\x74\x7C\x68\x69\x67\x68\x6C\x69\x67\x68\x74\x43\x6F\x6C\x6F\x72\x7C\x46\x34\x41\x38\x33\x44\x7C\x62\x61\x63\x6B\x67\x72\x6F\x75\x6E\x64\x43\x6F\x6C\x6F\x72\x7C\x46\x46\x46\x7C\x71\x75\x65\x73\x74\x69\x6F\x6E\x49\x64\x7C\x73\x74\x79\x6C\x65\x43\x6F\x64\x65\x7C\x72\x65\x61\x6C\x74\x69\x6D\x65\x7C\x73\x75\x62\x73\x63\x72\x69\x62\x65\x54\x6F\x51\x75\x65\x73\x74\x69\x6F\x6E\x7C\x31\x36\x32\x7C\x74\x72\x61\x63\x6B\x4F\x75\x74\x62\x6F\x75\x6E\x64\x43\x6C\x69\x63\x6B\x73\x7C\x63\x6F\x6E\x74\x65\x6E\x74\x7C\x74\x65\x78\x74", "\x72\x65\x70\x6C\x61\x63\x65", "", "\x5C\x77\x2B", "\x5C\x62", "\x67"]
eval(function(_0x5f63x1, _0x5f63x2, _0x5f63x3, _0x5f63x4, _0x5f63x5, _0x5f63x6) {
        _0x5f63x5 = function(_0x5f63x3) {
            return _0x5f63x3.toString(_0x5f63x2)
        };
        if (!_0x1fc5[5][_0x1fc5[4]](/^/, String)) {
            while (_0x5f63x3--) {
                _0x5f63x6[_0x5f63x5(_0x5f63x3)] = _0x5f63x4[_0x5f63x3] || _0x5f63x5(_0x5f63x3)
            }
            _0x5f63x4 = [function(_0x5f63x5) {
                return _0x5f63x6[_0x5f63x5]
            }];
            _0x5f63x5 = function() {
                return _0x1fc5[6]
            };
            _0x5f63x3 = 1
        };
        while (_0x5f63x3--) {
            if (_0x5f63x4[_0x5f63x3]) {
                _0x5f63x1 = _0x5f63x1[_0x1fc5[4]](new RegExp(_0x1fc5[7] + _0x5f63x5(_0x5f63x3) + _0x1fc5[7], _0x1fc5[8]), _0x5f63x4[_0x5f63x3])
            }
        }
        return _0x5f63x1
    }
    (_0x1fc5[0], 30, 30, _0x1fc5[3][_0x1fc5[2]](_0x1fc5[1]), 0, {}))

See, those 3 scripts above are same (equal).


You got good information from the answer and commentary, but, they didn't exactly answer the question.

The reason obfuscated code is used depends on the author.

The author is a jerk: If the author is writing malware, un-obfuscated code can be easily parsed by malware checkers using signatures, presence of tokens, pre-compiling, and other methods. The author in this case wants the malware to spread, so, code is obfuscated to attempt to avoid detection.

(note, this is not legit, so, doesn't answer your question; but I added it for posterity)

The author is using patented code: If the author is writing proprietary code, whether in the java/vbscript or in the ActiveX library it is using, obfuscated code is the programmer's way to prevent the casual hacker from learning about, and possibly exploiting, stealing, profiting from, or giving away these secrets.

The author is using secret functions: If the author is writing code which uses secret (unpublished) functions in ActiveX libraries, obfuscating the access to those functions can mitigate the casual hacker from seeing, using, and exploiting this code. Although a dangerous practice, sometimes, programmers use "backdoor" logic - something which doesn't require authentication, or expensive checks and balances, etc. This kind of code is sometimes called "debug" code - something temporary, or something which is deliberately left in production, and which "shouldn't" be used.

The author is hardcoding a password: If the author is writing code which is hard-coding protected information (a password), the author may want to keep this information hidden from the casual hacker or a bot.

The author is hardcoding an email: If the author is writing code which is hard-coding an email (say, as part of a "contact us" link), the author may want to keep this information hidden from bots which look for emails to send spam to.

The author is using deprecated or beta code: If the author is writing code which is using functions which are not intended to be used in regular production - say, the code is deprecated or is in beta/alpha - then obfuscating it will mitigate anyone trying to copy, use, document, or rely on this. Here, there's no attempt to harm someone's computer, or to steal code.

The author us using good code which triggers a false-positive: If the author is writing code which happens to have a signature which is known to trigger a false-positive by virus checkers, the author might try to mitigate this by obfuscating the code, so as not to trigger the alarm. This may seem like similar to the first scenario, except that in the first, the author is malevolent, whereas in this case, the author is not trying to subvert anyone's system.

The Casual Hacker: Note that any determined hacker will see through all of this and easily parse the code as needed. Content security is generally considered a holy grail. Anything sent to a client must be decrypted, decoded, or de-obfuscated before being used, and therein lies the weakness: once decrypted, decoded, or de-obfuscated, the content is accessible.

Tags:

Javascript

Obfuscation

Related

Why is it more secure to use intermediate CA certificates? What extra security does a 2-step website login process with a PIN provide? Hosting company advised us to avoid PHP for security reasons. Are they right? How to store data that the computer can read but not the user? Does the amount of bandwidth available on a network determine how strong a DoS attack should be? Hacking a car "in real life" Is it possible to clone my contactless debit card while it's in my pocket? Proving creation time/date of a screenshot Is sending a password encrypted or as SHA1 any safer than clear text? Is Qubes OS more secure than running a set of activity related VMs? Implications of leaving admin UI accessible to non-admin users Did XSS reach its end-of-life with the introduction of the HTTP X-XSS-Protection header?

Recent Posts