Lab: Abusing `.bind` Method to Avoid Inspection of JavaScript Functions
18 Mar 2013Hello!
You all know we can see a function’s implementation with Web Inspector:
The inspector says what is the implementation:
I realised that if I bind STCustom
function anything else, the implementation will not be visible.
Let’s wrap it and bind to undefined.
Now, let’s see it’s implementation:
It’s not visible. But it’s not useful for now. Let’s abuse it more. :)
It’s a simple JavaScript class with methods. Before try to hide them let’s check the STCustom
variable.
OK, It’s still visible. Let’s .bind
it to nothing again:
Now, it’s hidden again. What about the methods?
These are visible. So we should hide them too, abusing “bind”:
We bound all the methods to the object itself. So it couldn’t be inspected.
Deep-Freezed Classes
We also freezed that class, you cannot extend it anymore:
As you see, we are not able to access prototype
of the class.
Why is that?
It’s because .bind
method’s implementation. It returns a bounded native function, so you see the native one all the time, not your implementation. It’s like proxying the function over browser.
It’s not for production use, just a small trick that I realised.
Thanks! :)
Sorry for my English mistakes.