Appendix E. The Script Encoder
The Script Encoder, screnc.exe, is a command-line utility that encodes script, including the script embedded in HTML page, ASP pages (including incline ASP script), and .wsf scripts for the Windows Script Host. The encoded script, rather than the original source code, is then decoded and executed when the script is run. Using the Script Encoder to encode script offers two advantages:
Source code protection
Ordinarily, script is plainly visible to prying eyes. Client-side script in particular can be inspected by anyone who requests a web page. Although both ASP and WSH scripts are accessible to a smaller number of users, they nevertheless can be read by anyone with access to the system on which they reside. By encrypting the code, the Script Component renders it illegible.
Security
Not only can scripts be viewed, but in some cases they can even be modified. Once a script is encoded, however, any further modification renders it inoperable. By permitting scripts to be encoded, the Script Encoder has two objectives:
- Stop casual inspection and modification of a script.
- Provide a legal recourse, should inspection or modification take place.
At the same time, it is important to recognize that the script encoder is not cryptographically strong; encoded scripts can be unencoded very easily (and unencoders are readily downloadable from the Internet). The Script Encoder ultimately offers the same level of minimal protection as locking a car provides to its contents. It mitigates casual inspection of code, but should not be used to protect valuable or sensitive information like passwords.
|