0

I am using JQuery AJax in few of my pages. This JQuery Ajax is called using function which takes few parameter, which than makes call to JQuery Ajax and insert record into database. My question is how can i secured this web service call.

Example

In .aspx Page I have placed JQuery Ajax code.

This Jquery Ajax functions take param which i will be passing on hyperlink and this call is publicly accessible on doing view-source in browser. My question is how can i secure this passing parameters on hyperlink click to JQuery Ajax function.

One possible way i can think of is to encrypt data and assigned to hyperlink, so if anybody does view-source in browser he can only get encrypted data, i can then decrypt this data in web service and do manipulation. But i am looking for better approach for this problem. Anyone has any idea?

Another Dev on the List
  • 83
  • 2
  • 12
  • 2
    Secure against **what**? – SLaks May 11 '12 at 20:23
  • What type of security are you looking for? You can do anything from SSL, to encryption. More importantly, why does it need to be secure? What are you sending that is sensitive? – Thinking Sites May 11 '12 at 20:23
  • Also, what environment are you running in? There may be serverside protections available as well. – Jeffrey Blake May 11 '12 at 20:24
  • Your security is going to take place on the server end not in javascript. Not sure what your back end is written in, but you need to protect from injection there. – AJak May 11 '12 at 20:24
  • So your worried about someone being able to inject information into your database? Or that you dont want them seeing the URL and/or the default params that are being sent via ajax? If so, also wondering why do those params need to be encrypted... seems odd – AJak May 11 '12 at 21:06

1 Answers1

0

As it's been already pointed out, it depends on what exactly are you trying to achieve, but assuming you just want to make sure the function isn't available to anyone who types in the URL, one option would be to check whether the user is logged in on the backend that handles the ajax call, if you have a login system in place.

Additionally you can check the HTTP_X_REQUESTED_WITH header which jQuery sets when it sends an ajax request (see here Detect Ajax calling URL) but do note that implementing exclusively that will not make the site invulnerable, since it is possible for an attacker to fake the headers.

Community
  • 1
  • 1
Mahn
  • 16,261
  • 16
  • 62
  • 78