1

I am using Ajax post methods and don't know is these secure. I am worried about Ajax security. My codes below how can I secure my application. I used normal post form with AntiForgeryToken is there like ajax.

Javascript:

$(function() {
    var btn = $('.alignleft').find('input[name=loginbutton]');
    btn.click(function() {
        $.post("/profile/login", { us: $('#User').val(), pw: $('#Pass').val(), ajaxForm: true },
            function(result) { 
                if (result == "empty")
                    noty({ text: 'Şifre ve kullanıcı bilgilerinizi girin', type: 'information' });
                else if (result == "wrong")
                    noty({ text: 'Kullanıcı adı/eposta veya şifre yanlış.', type: 'warning' });
                else if (result == "blok") {
                    noty({ text: 'Tekrar eden yanlış denemelerden dolayı sisteme girişiniz 15 dk. engellendi.', type: 'error' });
                    $('#dialog').delay(2000).fadeOut(200);
                    $('#dialog-mask').delay(1000).removeClass('dialogmask');
                } else if (result == "ok") {
                    $('#dialog').fadeOut(1000);
                    $('#dialog-mask').removeClass('dialogmask');
                    var url = '/';
                    location.href = url;
                } else if (result == "ban") {
                    location.href = '/error/banned';
                }
            });
        return false;
    });
});

ActionResult is returning JSON data

[HttpPost]
[OnlyAjaxRequest]
public ActionResult Login(string pw, string us)
{
    if (Request == null || !Request.IsAjaxRequest())
        return RedirectToAction("c404", "error");

    if (!AuthFail.CheckInvalidCount(us.Trim()))
    {
        return Json(new[] { "blok" });
    }

    if (string.IsNullOrEmpty(pw) || string.IsNullOrEmpty(us))
    {
        return Json(new[] { "empty" });
    }

    try
    {
        var ps = GetSha1(pw);
        var loginUser = (from s in _member.UserProfiles
                where ((s.Password == ps) && (s.Username == us || s.Email == us))
                select s).FirstOrDefault();
        if (loginUser != null)
        {
            if (loginUser.Status == 0)
            {
                return Json(new[] {"ban"});
            }
            AuthFail.Clear(us.Trim());
            Session["___profile___"] = loginUser;
            return Json(new[] { "ok" });
        }
        AuthFail.IncreaseInvalidCount(us.Trim());
        return Json(new[] { "wrong" });
    }
    catch { }

    return RedirectToAction("c404", "error"); 
}
Vivek Jain
  • 3,811
  • 6
  • 30
  • 47
c3h4n
  • 145
  • 2
  • 9
  • Just as a general rule-of-thumb, you should ensure that your AJAX methods are as secure as any other method; they are still providing access to your application, just via a different route. – Adrian Wragg Aug 22 '13 at 10:21
  • http://stackoverflow.com/questions/4074199/jquery-ajax-calls-and-the-html-antiforgerytoken shows a way that you can still use the antiforgery token – Slicksim Aug 22 '13 at 10:31
  • I agree, but how can i ensure my app is secure. – c3h4n Aug 22 '13 at 10:33
  • i read the above link if use AddAntiForgeryToken function am i secure mean is there other possible attacks. – c3h4n Aug 22 '13 at 11:37

1 Answers1

0

Like Slicksim said, you could add a antiforgery token to prevent "Cross-site Request Forgery Attacks".

A other problem is SHA-1, I guess you are using it from you call "GetSha1()". I dont't know what it does, but you really should use a salt for generating your password hashes. More about this topic: Is SHA-1 secure for password storage?

Community
  • 1
  • 1
Oliver
  • 1,225
  • 10
  • 19
  • Ok now i have antiforgery for ajax request. Yes i know GetSha1() is not secure i will fix it thank you one more question :) is possible denial of service with ajax request because always server response request. – c3h4n Aug 22 '13 at 12:57
  • Yes it is. Like with every other web site. It is difficult to prevent this in you code. If you wan't DOS protection may have a look at https://www.cloudflare.com/ddos – Oliver Aug 22 '13 at 14:09