pwneglyph logo

Note

web javascript obfuscation reverse-engineering client-side-auth crypto

Recover a client-side "secret" by beautifying obfuscated JS and reversing its transform stack offline.

Obfuscated JS Auth — MD5 + XOR + Base64

The backend is not the auth gate at all; the challenge logic lives in obfuscated JS. Once the transformation stack is understood, the "secret" is usually recoverable offline.

Why It Works

  • Client-side auth means all the math is in front of you — decode constants and reverse the transforms.

Vulnerable Pattern

  • Frontends shipping auth.js or similar with custom XOR, base64, hashing, or packed string arrays.

Exploit Flow

  1. Beautify the JS and isolate the primitive transforms.
  2. Decode constant blobs and recover static keys before reasoning about control flow.
  3. Compare the recovered value against candidate usernames, passwords, or challenge hints.

Variations

  • MD5, SHA1, XOR keystreams, base64 layers, or string-array indirection.

Common Blockers

  • None from a security perspective — only analyst time. This is a "read the code correctly" problem.

PoC Sketch

atob(blob).split('').map((c,i)=>String.fromCharCode(c.charCodeAt(0)^key[i%key.length]))
// compare MD5 outputs against candidate usernames

Good Situations To Use It

  • Auth/validation runs entirely in client JS.
  • The bundle ships obfuscated transforms and constants.
  • No server-side check gates the flag.

Sources

  • marshack2026/web/bienvenue