Tag Archives: Website Protection

Securing your website’s HTML source code

Have you ever considered the security risks of using an unsecured web application? Surely for banks and large corporates this is relevant, even important – but my thinking is basic security for your HTML code is a very useful capability. I realized this while making Ocuara – A Mafia Lifestyle Game (www.ocuara.com) – and I think securing code can add a lot of value.

Now this does utilize javascript and is an immediate SEO no-no; but then most administrative consoles do not require SEO, they need security!! There are many websites out there – like samy.pl – that have their source code secured using a similar technique. It’s really quite simple.

What options exist today to secure your code?
– Using SSL (can break some functionality)
– Using multiple pages and invoking these pages via AJAX (easy to bypass)
– Using some basic javascript ‘packer’ or something like that (easy to break using jsbeautifier)
– Write your code in a really complicated manner (makes it impossible to maintain)
– Use an obscuring toolkit to secure the code (preferred)

The last option is my favourite. You can download a copy of my HTML Obscuring Toolkit from here – http://apps.vcio.in/Chaitanya%60s%20HTML%20Obscuring%20Tool/publish.htm (you’ll need and updated copy of Windows to use it).

The result of the obscuring toolkit I’ve programmed is this:

< !DOCTYPE html>

<head><title >.:: The world of Ocuara ::.</title></head>
<script type="text/javascript">
* - Secured by Chaitanya's HTML Obscuring tool (http://cbd.vcio.in/2014/02/20/securing-your-websites-html-source-code) -
*// /.source.replace(/.{7}/g, function (w) {document.write(String.fromCharCode(parseInt(w.replace(/ /g,'0').replace(/ /g,'1'),2)))});

How much sense does this make to the average user? Little to none; in fact if we use a packing tool before using my obscuring tool it makes the output that much more complicated/secure.

While it’s true HTML is inherently insecure and difficult to secure, its also true that we can make the code sufficiently hard to view and understand that the people attempting to hack it simply “give up”.

The tool offered here (free of course) is purely a sample of what this concept can do. If you really need help encrypting your website and securing it from the outside world, call me 🙂

Here’s that URL again if you’d like to try it out: http://apps.vcio.in/Chaitanya%60s%20HTML%20Obscuring%20Tool/publish.htm

How to use Chaitanya’s HTML Obscuring Tool:
1. Install
2. Place the HTML of your page in the left hand side box (this must be PLAIN html – no C#, no PHP, nothing else)
3. Then copy out whatever comes in the right hand side box (this is the encrypted html) and place it in that page.
4. This is designed to encrypt one full page at a time – not a part of a page. If you need partial encryption/encoding or additional protection for your server-side (C#, PHP, VB.NET, etc) code give me a call and I’ll offer some solutions that worked for me.