One time pad obfuscation
Is it possible to scramble output data to the client so that with each HTTP request it would be different and looking pretty much random ? The answer is YES. One method would be to use a one time pad with injected key.
Algo would be :
- Generate random key of same length as plaintext
- XOR key with plaintext
- Inject key into encrypted text and convert result to base64
- Emit JavaScript code which decodes encoded text
PHP data obfuscation code
<?php
function obfuscate($text) {
$obfuscated = '';
$random_key = '';
// generating random key from printable characters
for ($i = 0; $i < strlen($text); $i++) {
$random_key .= chr(random_int(32, 127));
}
// XOR'ing source text and key with one-time-pad
for ($i=0; $i < strlen($text); $i++) {
$obfuscated .= $text[$i] ^ $random_key[$i];
}
// injecting key into output and converting to base64
$obfuscated = $random_key . $obfuscated;
$obfuscated = base64_encode($obfuscated);
// outputing resulted string
return $obfuscated;
}
?>
Output HTML and Javascript code for decoding
<html>
<body>
<p id='out'></p>
<script>
var encoded = atob('<?=obfuscate("one-time-pad obfuscation rulez !")?>');
var pass = encoded.substr(0, encoded.length/2);
var code = encoded.substr(encoded.length/2, encoded.length/2);
var decoded = '';
for (sym = 0; sym < code.length; sym++) {
var chr = pass.charCodeAt(sym) ^ code.charCodeAt(sym);
decoded += String.fromCharCode(chr);
}
var el = document.getElementById('out');
el.innerHTML = decoded;
</script>
</body>
</html>
Results
Running code above, you will see in text phrase : "one-time-pad obfuscation rulez !" BUT ... if you will look into source of document - you'll see that phrase above is encoded with each http request differently and randomly, like :
OGQrbj1kR1klbys9RD1mWilYcSJOdCx8RV1uYX8zJGRXCk5DSQ0qPAgfSllkUgQ8XCsSQzodQxJlLxsNGkkERQ==
XXx7fGJZfi9QQ25tNmAvfl8tJipiQEo3PS1xVzd9X2cyEh5RFjATSn0zDwkWD00YKl5FSxYpJVkdXwQ7Ugd/Rg==
e25OMEZuSTExYCt0dXlccSorJVt1fjxfOm9YTXxVeDQUACsdMgckVBwQShBVFj4XX1hGOgEXUzEaHS0hGS9YFQ==
...
So unsuspecting or casual "hacker" without a knowledge of encryption scheme and/or Javascript coding skills will not have any clue what is this and how to decode that stuff.
Now you have yet another tool for obfuscating sensitive data :-)