JOST (JavaScript Obfuscated Source Testing) is a comprehensive repository of categorized JavaScript obfuscation samples designed for testing and evaluating static analysis tools. qwen3-coder was used to generate the payloads and documentation in this repo.
JOST provides security researchers, tool developers, and analysts with a standardized collection of obfuscated JavaScript code to:
- Test static analysis tool effectiveness
- Benchmark detection capabilities
- Evaluate false positive/negative rates
- Study obfuscation techniques
- Develop better analysis methodologies
Samples are organized into 10 primary categories with subcategories:
- Encoding Obfuscation - Base64, hex, custom encoding
- String Manipulation - Concatenation, template literals
- Control Flow - Conditional obfuscation, jump tables
- Mathematical Obfuscation - Arithmetic, bitwise operations
- Function Obfuscation - Anonymous functions, IIFE patterns
- Variable Obfuscation - Identifier renaming, scope confusion
- Anti-Analysis - Debugger detection, environment checks
- Packing/Compression - Eval wrappers, custom decompression
- Polyglot Obfuscation - Mixed syntax samples
- Mixed Techniques - Layered obfuscation approaches
All samples follow a standardized classification system with:
- Complexity Levels (1-5: Simple to Expert)
- Technique Tags (standardized technique identifiers)
- Metadata Headers (consistent sample information)
- Naming Conventions (structured file names)
See docs/classification-guide.md for complete details.
Browse samples by category to study specific obfuscation techniques and their detection challenges.
Contributions are welcome! Please:
- Follow the classification guide
- Include proper metadata headers
- Use standardized naming conventions
- Ensure samples are non-malicious
- Submit pull requests with clear descriptions
This project is licensed under the MIT License - see the LICENSE file for details.
All samples in this repository are designed for security testing and research purposes only. They contain no actual malicious code but are intended to challenge static analysis tools. Use responsibly and only in appropriate testing environments.