1

I have a dataTable with server-side processing but I don't know how to secure the ajax call because if anyone go to the ajax php file can read all the content.

This is my jquery:

$(document).ready(function() {
    $('#netflow').DataTable( {
        aaSorting: [[ 5, "desc" ]],
        responsive: {
        details: {
            renderer: function ( api, rowIdx ) {
            var data = api.cells( rowIdx, ':hidden' ).eq(0).map( function ( cell ) {
                var header = $( api.column( cell.column ).header() );
                return  '<p style="color:#00A">'+header.text()+' : '+api.cell( cell ).data()+'</p>';  // changing details mark up.
            } ).toArray().join('');

            return data ?    $('<table/>').append( data ) :    false;
            }
        }
        },
        processing: true,
        serverSide: true,
        ajax: "/adm/includes/netflow_processing.php",
    } );
    var oTable = $('#netflow').dataTable();
    var table = $('#netflow').DataTable();
    $('#netflow_filter input').unbind();
    $('#netflow_filter input').bind('keyup', function(e) {
        if(e.keyCode == 13) {
                oTable.fnFilter(this.value);
        }
    });
    // Añadir filtro para cad acelda
    $('#netflow tfoot th').each( function (i) {
        $(this).html( '<input type="text"/style = "width: 100%; " placeholder="Filtra...">' );
    } );
    // Aplicar filtro al introducir en cada celda
    table.columns().eq( 0 ).each( function ( colIdx ) {
        $( 'input', table.column( colIdx ).footer() ).on( 'keyup change', function () {
            table
                .column( colIdx )
                .search( this.value )
                .draw();
        } );
    } );
} );

And this is the ajax script:

<?php

$table = 'netflow';
$primaryKey = 'id';

$columns = array(
        array( 'db' => 'flow_src', 'dt' => 0 ),
        array( 'db' => 'flow_dst', 'dt' => 1 ),
        array( 'db' => 'flow_proto', 'dt' => 2 ),
        array( 'db' => 'out_packets', 'dt' => 3 ),
        array( 'db' => 'in_packets', 'dt' => 4 ),
        array( 'db' => 'flow_start', 'dt' => 5 )
);

$sql_details = array(
    'user' => '6g43tfr3',
    'pass' => 'XXXXXXXXX',
    'db'   => 'DBNAME',
    'host' => 'bbdd.localdomain'
);

require( 'ssp.class.php' );

echo json_encode(
    SSP::simple( $_GET, $sql_details, $table, $primaryKey, $columns )
);

How can I make a hash/token request?

Radu Radu
  • 177
  • 16

2 Answers2

1

First of all, I can't see any check that the user is logged, or some other check. You can create user with levels. Admin user, normal user and give him access code. You can use this pseudo code.

$access = false;
$user == isAdmin() {
$access = true;
}

if($access == false) return redirect;

Second, you can make some check that is AJAX requirest.

if(!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {
    /* special ajax here */

}

And in this scopes you can make additional check ( for login, access level, etc. ) , BUT there's no 100% way to detect if the request was made via ajax. Even if someone sends header with

"X-Requested-With: XMLHttpRequest"

ivant87
  • 70
  • 5
  • Thanks @ivant87 for the main page pages I set a session variable called user with the user_id and in the included pages I check the variable $IncludeCheck if have the value declared in the home.php page is the same and only then I show the page (all pages are included in the home page and called with ?page=PAGE1) – Radu Radu Oct 03 '16 at 12:29
1

You could simply check HTTP_REFERER. HTTP_REFERER is overwritten by the browser and cannot be altered meaning you cannot fake a request as it was called from within your script. So if name of the page (referer) that legally may access your script is

http://example.com/page42

(check what your script is called by echoing out $_SERVER['HTTP_REFERER']) then add

<?
if ($_SERVER['HTTP_REFERER'] != 'http://example.com/page42') {
   header('HTTP/1.0 403 Forbidden');
   die('You are not allowed to access this script.');     
}
...

as the very first lines to your /adm/includes/netflow_processing.php script.

davidkonrad
  • 83,997
  • 17
  • 205
  • 265
  • Just what I want, simple and functional. Thanks you very much!. – Radu Radu Oct 03 '16 at 12:22
  • 1
    @RaduRadu, `HTTP_REFERER` can easily be altered and it would be the first thing attacker would change when data-mining for example. – Gyrocode.com Oct 03 '16 at 12:58
  • @Gyrocode.com - such claims really need some proof of concept :) HTTP_REFERER cannot be changed from within a browser, i.e for example by sending a faked header with AJAX. You _can_ "spoof" HTTP_REFERER by using CURL or similar, i.e by creating a dedicated script just for the particular purpose running on a socket, but the "attacker" would still need to know that he needs to include HTTP_REFERER and off course which value that will be accepted. – davidkonrad Oct 03 '16 at 13:29
  • See [Referer spoofing](https://en.wikipedia.org/wiki/Referer_spoofing) or [this thead](http://stackoverflow.com/questions/6023941). Attacker *will* create dedicated script, and there is no guessing required - referrer field will match the originating page URL. – Gyrocode.com Oct 03 '16 at 13:36
  • Correct solution is to use tokens, see [Cross-site request forgery - Prevention](https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention), which is what OP had in mind in the first place. – Gyrocode.com Oct 03 '16 at 13:39
  • @Gyrocode.com, 5) your own link states : "**Checking the HTTP Referer header to see if the request is coming from an authorized page is commonly used for embedded network devices because it does not increase memory requirements.** _However, a request that omits the Referer header must be treated as unauthorized because an attacker can suppress the Referer header by issuing requests from FTP or HTTPS URLs_". ...So the above answer is actually a well known solution. 6) Tokens is the same deal unless the poster introduces a completely different setup serverside, – davidkonrad Oct 04 '16 at 02:15
  • Don't take it personally. I didn't downvote another answer because it suggests to use user validation even with pseudo code which could be more secure. – Gyrocode.com Oct 04 '16 at 04:01