-4

Like a lot of you guys know that the javascript functions or methods can be ran through browser adress bar. I want to prevent that happening by what kind of concept i should use where user may NOT know what has to go into my functions arguments when it has ran in the adress bar and would NOT work!?

I wanna use a concept just like twitter-follow-button. But if people know specific things(id,date etc) they can hack it thru gaining more followers and stuff. i only want it to be running when it gets clicked.

Using Programs: PHP, jquery, css so the examples can be based on the followings above.

any help appriciated. thanks in advance.

Oguzhan
  • 724
  • 6
  • 12
  • You should never trust anything from the client side. You should be validating actions like this on the server. Develop some simple client to server relationship and you shouldn't have to worry about this. – Ben Jul 24 '12 at 19:58

3 Answers3

2

javascript functions or methods can be ran through browser adress bar. I want to prevent that happening

You can't.

I want to prevent that happening by what kind of concept i should use where user may NOT know what has to go into my functions arguments when it has ran in the adress bar and would NOT work!?

You can obfuscate code, but that won't prevent it being reverse engineered or simply rewritten. It is the HTTP requests that matter, not the JS that makes them.

I wanna use a concept just like twitter-follow-button. But if people know specific things(id,date etc) they can hack it thru gaining more followers and stuff.

You need to, on the server, authenticate that the user making the request is allowed to make the request. In that particular instance you can do it by using the session data for the currently logged in user to determine which user becomes the follower.

You should also implement CSRF protection so that another site can't forward users to your site.

You can't trivially stop Malory from giving Alice some JavaScript to put in the address bar which will make the requests. That's a social engineering attack. Browsers are implementing protection against it now though (e.g. blocking javascript: uris from the address bar and making people use the developer tools instead).

You can implement rate limiting so that a script can't make a user follow 10s of people in a short period of time.

You could have the request be one that requires a full page request to a different subdomain, and have that subdomain pull up a conformation request back to the original server. Since the user has to interact with data from two host names, a single pasted script won't be able to go through the full process (since the same origin policy exists). That is probably overkill though.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
0

I think your best approach is to avoid adding any variables to the global scope.

Things that are unreachable globally would not be accessibly from anonymous functions on the page, the address bar, etc. Provided there's no way to inject script into your page, you should be pretty safe.

Other than that, I don't believe there's a way to prevent a user from running script on the address bar.

Mike Christensen
  • 88,082
  • 50
  • 208
  • 326
0

In short, the way you describe it, it is not possible.

Community
  • 1
  • 1
bPratik
  • 6,894
  • 4
  • 36
  • 67