17

What happens if a user looks at my JavaScript file, copies the content of a function and sends a request to my server using AJAX? And is there a way to properly protect against this from happening?

Crescent Fresh
  • 115,249
  • 25
  • 154
  • 140
Raphael Caixeta
  • 7,808
  • 9
  • 51
  • 76

3 Answers3

15

The way to protected against this is no different to the way you protected against any web request. You make it so that your site requires some form of authentication (i.e. users have to log in) and don't do thing if the request is not properly authenticated.

Typically, when you make an AJAX request, cookies are also sent along with the request so you should just be able to use the same authentication method that you use for your regular requests with your AJAX requests.

Dean Harding
  • 71,468
  • 13
  • 145
  • 180
  • 1
    Ahh makes sense. I just didn't know whether browsers had some sort of cross domain protection of some sort. Thanks bud. – Raphael Caixeta Jun 04 '10 at 06:00
  • the browser wont allow xmlhttprequest from another server/domain. However if you are allowing json-p requests, it could happen, also someone could spoof the browser, treat requests for ajax like any other, as mentioned. – Tracker1 Jun 04 '10 at 06:10
9

As per codeka, there is no way to prevent someone from crafting their own Ajax query that is identical to the one you have in your Javascript request. Cross-domain protection will not necessarily protect you there, as they can, if they wished, just type the Javascript into the address bar for themselves while on a page on your site.

The only protection you have is to validate the input and parameters provided through the Ajax query on the server-side. Limit each PHP or Python or whatever response script to a very specific task, and check the input on the server-side. If something's wrong, respond with an error.

In short, there is no way to prevent someone from sending the request, but you can prevent them from doing something you don't want them to do on your server.

phsource
  • 2,326
  • 21
  • 32
0

Assuming that you need some form of authentication:

I guess you can maintain database session to validate if the request is coming from a genuine user for forged. Use encrypted cookies to store the session ID, and refer the cookie session ID to the database to validate the user

Chaitannya
  • 936
  • 1
  • 7
  • 16