2

I am developing an web application in MVC4. I my application all the function is did by the ajax post call. I do not even post single form(Even not have the form tag also) all the things are did by the ajax call. but I am scared for the miss use of the my java script. Any one who got this code he can post the dummy data to my application. So I need to validate the weather the post request is coming form my website or not.

I thought that the ajax call is good instead of posting all the form to server.

Also I have did the validation at client side only. Is that also the threat for me?

And How i do the use of AntiXSSLibrary and HtmlSanitizationLibrary or AntiForgeryToken??

Rhushikesh
  • 3,630
  • 8
  • 45
  • 82
  • 1
    If all your validation is done in JavaScript, then **yes** this is a big security problem. All data posted to a server must be validated on the server – jasonscript Sep 10 '14 at 06:12
  • 1
    To validate that the request is coming from your page: You can generate a token, store it in the session and send it in a hidden field when you render the page and include the valué of the field in your ajax call as a parameter and when you receive a submit validate the value of the token parameter and compare with the valué in the session. – frankfg Sep 10 '14 at 06:42
  • @jasonscript I am not understanding how user can post wrong data – Rhushikesh Sep 10 '14 at 06:52
  • 2
    Because you are using JS to post data to your server, someone can look at your JS and figure out what to submit. Then they can write their own JavaScript (in console or as Chrome extension) and submit their own data to your server. If you do not check the data on the server, it will accept this **bad** data. Some people even turn JavaScript off! what happens to your page then? – jasonscript Sep 10 '14 at 06:56
  • I have post the data using ajax if user block the javascript then no post will be happend – Rhushikesh Sep 10 '14 at 07:02
  • How i do the use of AntiXSSLibrary and HtmlSanitizationLibrary or AntiForgeryToken – Rhushikesh Sep 10 '14 at 09:03
  • @Rhushikesh — If a user blocks the JavaScript then *your code* won't cause a POST request to be made. It won't prevent the user from manually constructing an HTTP request and submitting it. – Quentin Sep 10 '14 at 09:12
  • yes for that i will do the post request validation weather it coming form which url – Rhushikesh Sep 10 '14 at 09:19
  • @Rhushikesh — Requests come from browsers, not URLs. There is no reliable way of determining what the previous page loaded by the browser was. The referer header is easily faked. – Quentin Sep 10 '14 at 09:20
  • k then how i can protect my website – Rhushikesh Sep 10 '14 at 09:22

1 Answers1

-1

Use the following code in your method

string referer = Request.ServerVariables["HTTP_REFERER"];
            if (string.IsNullOrEmpty(referer))
            {
                Response.Redirect("/UnauthorizedAccess.aspx");
            }
V2Solutions - MS Team
  • 1,129
  • 6
  • 6
  • That won't stop people bypassing the script to submit bad data. – Quentin Sep 10 '14 at 09:10
  • Because you have no control over what users put in HTTP requests to your server. They control the client software. They can send anything they like. Including fake referer headers. – Quentin Sep 10 '14 at 09:18