Ajax in a Whitebox

We have already laid out some of the loopholes that could be used by different hackers. In this article we will take a look at a very basic hack that could be done even by none-developers and how to prevent it.

Personally, the biggest problem for any Ajax based developer is the transparency of the source code. To understand this let us take a look at different online applications that runs in a different language. An HTML application for example will only show you a source code with the input box and nothing else. That information is useless for hackers since it just translates a very small part of what they see. An HTML based application securely covers its source code and shows practically nothing. A hacker will probably use a sniffer (network traffic analyzer) but it will just show up some information on what server is used. In that point, a hacker may already create a hacking script but hackers will still have a long way to go through just to infiltrate an HTML-based website.

Unfortunately for Ajax, that is not the case. Ajax based applications have to “show” their source code to the client to ensure the program goes through. It is as simple as installing the right Firefox add-on tool that shows the actual code of the website to know the actual source code. Some even say that a website is not secure enough even the FrontPage application could show the source code. With that, hackers will practically know everything about your website and its process. If they have a sniffer, they can immediately build a small script to hack your website.

There are three recommendations I could give to somehow prevent others from seeing the actual source code:

1. Obfuscate JavaScript – quite an advanced word but it just actually tells the developed to confuse the hacker by getting them confused on what you are writing. There are tools that you can use that enable you to build a confusing website. But this will only confuse the hacker not the system. This will probably discourage the hacker but if the attacker sees the formula, you are back to square one in security.

2. Disable Right-Click Function – Remember those pesky messages that you see in a simple website where they do not allow copying? That will probably work on your website but not for long. Again, you are just buying some time for any hacker to think of alternatives to access your site. But this is good especially protecting yourself from newbie hackers.

3. Code Compression – There are web development companies that sell tools for code compression. To put it simply, the code is scrambled so that it will never be understood by any tool by hackers. Since this is a very complicated security tool, be sure to prepare a little bit of funding since these code compression tools will cost you.

Remember, the first two tips are just simple tricks to buy you time. Be sure to use this when you are just looking for a proper compression tool for your code.