By the Breachfin Team
Published: July 21, 2025
Introduction
Modern web applications rely heavily on JavaScript for dynamic user interfaces, payment forms, analytics, and third-party services. But the same flexibility that makes JavaScript so powerful also makes it vulnerable to abuse.
One technique used by attackers to hide malicious activity is obfuscation—rewriting code in a way that makes it difficult to understand, analyze, or detect.
At Breachfin, we use a mathematical concept called entropy to detect when JavaScript is obfuscated. In this article, we’ll explain what entropy means, how it applies to JavaScript, and why it’s one of the best early warning signs of script-based attacks.
What Is Entropy in Simple Terms?
Entropy, in the context of information theory, is a measurement of randomness or unpredictability in data.
In JavaScript, a file that contains readable function names, comments, and regular syntax has low entropy. It looks like natural, human-written code.
But malicious scripts are often obfuscated — using long, random variable names, compressed characters, or encoded payloads — resulting in high entropy.
Why Attackers Use Obfuscation
Attackers use obfuscation to:
- Evade detection by static scanners and signature-based tools
- Hide payloads such as credit card skimmers or keyloggers
- Prevent reverse engineering of their malicious logic
A skimming script might replace all variable names with random characters, remove whitespace, and encode parts of its payload using Base64 or Unicode escapes. To a user or a scanner, it looks like gibberish — unless you measure its entropy.
How Breachfin Uses Entropy Scoring
Breachfin automatically calculates the Shannon entropy of every JavaScript file during a scan. If the score exceeds a certain threshold (e.g., above 7.0 on a 0–8 scale), we flag it as potentially obfuscated.
Here’s how it works:
- Scripts with meaningful, readable logic: entropy ~ 4.5–6.5
- Minified third-party libraries: entropy ~ 6.5–7.0
- Malicious or obfuscated scripts: entropy > 7.0
But entropy alone isn’t enough. That’s why we correlate it with:
- The presence of
eval(),Function(), orsetTimeout("string") - Whether the script has changed since your last scan
- Whether it comes from a trusted or unrecognized source
A Real-World Example
Imagine this snippet is found in a script on your checkout page:
var _0x3f5a=['log','creditCardNumber','1234567890123456'];
(function(_0xa1b2,_0xb3c4){
var _0xabc1=function(_0xd1d2){while(--_0xd1d2){
_0xa1b2['push'](_0xa1b2['shift']());}};_0xabc1(++_0xb3c4);
}(_0x3f5a,0x1f));
To a human, this code is unreadable. To an attacker, it’s a payload obfuscated to avoid detection. To Breachfin, the entropy score is a red flag.
Why This Matters for PCI DSS Compliance
PCI DSS 11.6.1 requires businesses to monitor for unauthorized changes to JavaScript on payment pages. Obfuscated code is a strong indicator of tampering—especially if the file used to be clean.
By calculating entropy, Breachfin doesn’t just look at whether a file changed—we assess how suspicious the change is.
This helps security teams prioritize alerts, reduce false positives, and maintain a defensible audit trail.
Final Thoughts
Entropy is a powerful signal. When combined with hash comparisons, content analysis, and historical baselines, it becomes one of the most effective ways to detect malicious JavaScript before it compromises your checkout experience.
If you’re serving payment pages online and not scanning for high-entropy scripts, you’re leaving a critical visibility gap unaddressed.
Breachfin closes that gap — automatically.
Curious about your entropy exposure?
Start your free scan at breachfin.com and see what your scripts are hiding.
