JavaScript Packers

JavaScript packers are programming technique in JavaScript for developers who wanted to provide encryption for their application. Since this is considered a challenging process, this technique often requires an application that will serve as the “packer” for the code.

By providing encryption, developers hope that they would be able to provide extra security for their JavaScript and Ajax based application. As Ajax and JavaScript are very susceptible to attacks, an additional tool for increasing its security should be seen as a good thing.

But recent reports suggested a different story. Security companies are now advising developers to avoid JavaScript packers as much as possible. Instead of increasing the security of the online application, it will only increase their susceptibility to attacks. JavaScript packers might even use resources of JavaScript which will slow down the application.

Unfortunately, the presence of JavaScript packers will not prevent attacks as the online application could still be decoded with simple and free tools online. Caffeine Monkey could show the entire code of the application in text format in seconds.

The presence of JavaScript packers is now interpreted by attackers as a “hint” that something is being kept there. All they need to do is run Caffeine Monkey, extract the code and develop a script that could defeat the code. Instead of scaring the would-be attackers, JavaScript packers only invite them.

Targeting the Web Server

In insecurity provided by JavaScript packers is based on the fact that it only provides protection on the code, which is also highly dubitable. But granted that they do protect the application’s coding, JavaScript packer or more accurately, the developer misses what’s even more important – the security of the web server.

An Ajax or JavaScript based application is still a client side application. But no online application in the world will work without the web server. With an efficient web server, the Ajax based application could easily stream data without refreshing its entire content.

Attacks do not target the client side interface since the information is too small. But if attacker targets the web server, the attacker will practically know everything about the application including the user’s information. They can simply place a small script there to hijack the entire application and retrieve personal information at will.

Being Obscure is Not Secure

There is the general idea that obscuring your application could actually mean increased in security. While it is highly dubitable that JavaScript packers could actually obscure your application, this concept is not true at all. Obscuring your application will only affect users since they will have a hard time working with the application. Obscurity is never a challenge to attackers. In fact, obscurity is helpful to attackers since they will target applications that try to be obscure.

Instead of focusing on the client side, increase security on the web server while securing the coding of the client side. JavaScript packers will only lead to false sense of security that could place the website and the business attached to it in massive security concerns.