In the context of a stored XSS attack^ it is used to avoid signature based detection. Think about malicious Javascript as a virus. Current virus scanners search for signatures within programs^^ to determine whether a program is a virus or not. Signatures are unique strings^^^ that identify a program. If you can encode your virus as a bunch of symbols, you can avoid detection by automated scanners. Then, once a user loads the page, the decoder function gets called and the malicious Javascript gets executed.
Of course, a signature could be generated for the decoder function. As is common in many areas of the security industry, signature based detection is an arms race. Obstrufication is one method the attackers use.
In the context of a reflected XSS^^^^ obstrufication simply makes it less obvious there is an embedded script.
-
^ Javascript permanently stored on the vulnerable host's server.
^^ They also use other methods too, but signature based detection has been the primary method used by anti-virus since the industry started.
^^^ In practice they are not unique.
^^^^ Javascript embedded in a link to a site. User clicks on link and Javascript gets executed in the context of the vulnerable host.
In the context of a stored XSS attack^ it is used to avoid signature based detection. Think about malicious Javascript as a virus. Current virus scanners search for signatures within programs^^ to determine whether a program is a virus or not. Signatures are unique strings^^^ that identify a program. If you can encode your virus as a bunch of symbols, you can avoid detection by automated scanners. Then, once a user loads the page, the decoder function gets called and the malicious Javascript gets executed.
Of course, a signature could be generated for the decoder function. As is common in many areas of the security industry, signature based detection is an arms race. Obstrufication is one method the attackers use.
In the context of a reflected XSS^^^^ obstrufication simply makes it less obvious there is an embedded script.
-
^ Javascript permanently stored on the vulnerable host's server.
^^ They also use other methods too, but signature based detection has been the primary method used by anti-virus since the industry started.
^^^ In practice they are not unique.
^^^^ Javascript embedded in a link to a site. User clicks on link and Javascript gets executed in the context of the vulnerable host.