We recently received a question that made me wonder if we really were in 2016 – “Can the Barracuda Web Application Firewall block users from performing right-click -> View Source?”. For an instant, it took me back to the early 2000’s where every method of “protection” was being implemented – including blocking right-click to prevent people from either viewing the source of a web page, or downloading a file on the page. The question this time was more in-line with trying to secure the website. If right-click and View Source are blocked, then the attacker cannot see the source code of the web page. This will mean that they cannot figure out how to “hack” us, or steal our source code.
There is some logic in this request blocking View Source. If an attacker cannot view the source of the webpage, they are at a slight disadvantage. Very often, viewing the source reveals hidden fields, optional elements and session identifiers (among others) that can help speed things up from an attacker’s point-of-view. But all of these (and more) can be identified by using tools such as Fiddler, other automated tools available freely on the Internet.
A quick glance around the internet will show how much users scorn sites that use right click blocking and similar methods. The minor security advantage that it provides does not make up for the user exasperation that it causes.
Blocking “View Source” is a way of securing through obscurity. Such methods should not be relied upon to provide significant protection. Security by obscurity is discouraged and not recommended by most standards bodies like NIST. That security by obscurity does not work was demonstrated as far back as 1851. Alfred Hobbs demonstrated the weaknesses in the then state-of-the-art locks by picking them publicly. When others were concerned that he was exposing these flaws to criminals and making the locks more vulnerable, he stated: “Rogues are very keen in their profession, and know already much more than we can teach them.” So too are the people who wish to break into your site – and the automated tools they use account for such obscurity.
So what do you do to protect your site in this case? Ideally, by using a Web Application Firewall. A Web Application Firewall is a specialized firewall that sits in front of your web applications, protecting them from application layer attacks that an IPS or IDS cannot detect or block (YouTube Link).
While using a Web Application Firewall might seem complex, securing your web application need not be difficult. The Barracuda Web Application Firewall exists to secure your web applications easily and provide you with peace of mind. Once you deploy the Barracuda Web Application Firewall in front of your web application, it is trivially easy to setup a HTTPS front end and enable complete application security. The Barracuda Web Application Firewall provides complete security against all web attacks (pdf), including application DDoS and Web Scraping. We offer several deployment options, including physical and virtual appliances, and Azure, AWS, and vCloud Air. Try it in your environment for 30 days, risk-free.
In December 2016, we are running a webinar on Deconstructing Web-based Attacks. In this webinar, we will talk about some of the big hacks from the past year, revealing how they happened. We’ll also talk about the Barracuda Web Application Firewall and Barracuda Vulnerability Manager, and how they can help protect you against these attacks. Look out for more information on attending this webinar series soon!
Tushar Richabadas is a Product Manager for the Barracuda Web Application Firewall team in our India office. You can connect with him on LinkedIn here.