JS: truly secret vars (for securely submitting a score)

Question

Is it possible to find a randomly generated value declared within an anonymous function (IIFE), and if so how?

(function () {
  // assuming an epic, obscured, random function
  var salt = random()*10000|0;

  // assuming an event manager
  Events.on('custom event', function () {
    // do something amazing with salt here
  });
})()

Assuming:

• the function is loaded via ajax
• it executes on load (making it difficult to include a breakpoint)
• there's a suitably elegant solution in place to test for injection (is there such a thing?).

Answer 1

A simple breakpoint in your JS exposes the salt value. It is not accessible to code outside the IIFE (Immediately Invoked Function Expression - what you are calling anonymous function), but if you're trying to keep a debugger from seeing it via a breakpoint inside the IIFE, then JS is not going to prevent that in any way.

For example, you can set a breakpoint right where the salt value is coined and see what it is or if that code is dynamically loaded via ajax, you can set a breakpoint on the ajax loading code and then step through the loading of the code until you can then set a breakpoint where the sale value is coined.

Answer 2

I see to ways to hack this, first set a breakpoint and overwrite the the salt, or overwrite Math.random to always return the same value. And there are no ways to protect your program from this. On the other hand its very hard to find the piece of code in a minified and obfuscated script.