Monthly Archives: February 2014

IT Security, Website Protection

Securing your website’s HTML source code

Have you ever considered the security risks of using an unsecured web application? Surely for banks and large corporates this is relevant, even important – but my thinking is basic security for your HTML code is a very useful capability. I realized this while making Ocuara – A Mafia Lifestyle Game (www.ocuara.com) – and I think securing code can add a lot of value.

Now this does utilize javascript and is an immediate SEO no-no; but then most administrative consoles do not require SEO, they need security!! There are many websites out there – like samy.pl – that have their source code secured using a similar technique. It’s really quite simple.

What options exist today to secure your code?
– Using SSL (can break some functionality)
– Using multiple pages and invoking these pages via AJAX (easy to bypass)
– Using some basic javascript ‘packer’ or something like that (easy to break using jsbeautifier)
– Write your code in a really complicated manner (makes it impossible to maintain)
– Use an obscuring toolkit to secure the code (preferred)

The last option is my favourite. You can download a copy of my HTML Obscuring Toolkit from here – http://apps.vcio.in/Chaitanya%60s%20HTML%20Obscuring%20Tool/publish.htm (you’ll need and updated copy of Windows to use it).

The result of the obscuring toolkit I’ve programmed is this:


< !DOCTYPE html>

<html>
<head><title >.:: The world of Ocuara ::.</title></head>
<body>
<script type="text/javascript">
/*
* - Secured by Chaitanya's HTML Obscuring tool (http://cbd.vcio.in/2014/02/20/securing-your-websites-html-source-code) -
*// /.source.replace(/.{7}/g, function (w) {document.write(String.fromCharCode(parseInt(w.replace(/ /g,'0').replace(/ /g,'1'),2)))});
</script>
</body>
</html>

How much sense does this make to the average user? Little to none; in fact if we use a packing tool before using my obscuring tool it makes the output that much more complicated/secure.

While it’s true HTML is inherently insecure and difficult to secure, its also true that we can make the code sufficiently hard to view and understand that the people attempting to hack it simply “give up”.

The tool offered here (free of course) is purely a sample of what this concept can do. If you really need help encrypting your website and securing it from the outside world, call me 🙂

Here’s that URL again if you’d like to try it out: http://apps.vcio.in/Chaitanya%60s%20HTML%20Obscuring%20Tool/publish.htm

How to use Chaitanya’s HTML Obscuring Tool:
1. Install
2. Place the HTML of your page in the left hand side box (this must be PLAIN html – no C#, no PHP, nothing else)
3. Then copy out whatever comes in the right hand side box (this is the encrypted html) and place it in that page.
4. This is designed to encrypt one full page at a time – not a part of a page. If you need partial encryption/encoding or additional protection for your server-side (C#, PHP, VB.NET, etc) code give me a call and I’ll offer some solutions that worked for me.

Uncategorized

EEEK My database just DIED!

20131127134115!The_Scream

Oh no! My database services just went dead. All the datastore files are corrupt!! ARRRGGHH I MUST HAVE A VIRUS!!

Is what I thought – but it turns out to be something more interesting. Something more mundane. This is the true uncensored story of what happened and what I did about it.

So you must have heard of something called an ‘ANTI-VIRUS’ software.

Funny thing; many anti-virii today force themselves into database files and database processes, and sometimes, as a result of this clearly intrusive cavity search, the relevant processes just give up and die.

Thankfully my new favourite antivirus of all time Windows Defender has the ability to accept a list of exceptions – programs to not slaughter, locations to not peep, etc – like you see from the shots below.

Exclude Files
Exclude Files
Exclude Processes
Exclude Processes

Does this really reduce the stability/security of the system? I doubt it as these are known processes and known locations – known only to you – that are excluded. Naturally you’ll have a firewall and other security measures in place so selectively relaxing security in the interest of data integrity is not a bad idea.

On the flip side – you may go “EEEK! I JUST LOST MY DATA!” 😉