An ADsafe Ajax Based Website

Ads in websites could be considered as the lifeblood of any website. However, ads could be used as a means to attack especially Ajax based websites. JavaScript is known to be highly vulnerable to outside attacks.

There are developers of Ajax based website who admit advertisements to ensure their operations continue. But this need is often exploited and as a result, the Ajax based website becomes susceptible to different types of attacks.

But there is a way of improving the Ajax based website’s security while maintaining its ad-friendly environment.

Using JSLint

JSLint may probably be the best security application that any developer could apply to their Ajax based application. JSLint simplifies the coding, making it stronger against attacks because only the best information will be admitted.

Longer codes will often request links outside the server which could be used as a vehicle to insert unauthorized scripts. With the help of JSLint, the proper subsets of HTML and JavaScript are made.

The features that could be potentially harmful to the Ajax based website will be removed with JSLint. Developers may find themselves coding the website again, but JSLint points out the problems which should be addressed fast.

Variables and Words

The following are the words that should not be used in Ajax based websites that are planning to use external ads:

• source
• toString
• apply
• call
• callee
• caller
• clone
• this
• toSource
• constructor
• eval
• new
• prototype
• watch

These words tell the website to fetch information outside the server. Some of these words also inform the website to interact with outside information without proper evaluation. This could eventually be used by attackers to insert scripts and eventually infiltrate the Ajax based website.

Interaction from any type of global variables should also be minimized or if possible, prevented. Developers would often use global variables to enable interaction with other information sources no matter what their programming language is. Although this feature could provide the information needed by developers without straining the server, it could pose significant problems as sources could be without any security feature.

Lastly, the subscript [ ] should never be used as well as words that starts with _.

Disadvantages

Unfortunately, this type of security feature in an Ajax based application will not provide complete security. Some ECMAScript which deals with outside information could never be used.

The changes in browsers have also posed challenges for developers. Every time a browser update is released, developers who to work double time in determining what are the changes, its effects on the application and provide the necessary security patches as soon as possible. The developers should implement security updates as soon as possible or else the attacker would beat them in securing the application.

The Cross Script Attack (XSS) is still not addressed in this security feature. But there are security tips that prevent XSS that could be found online. Developers would just have to dig deeper to ensure their Ajax based websites are secured and ad friendly at the same time.