2

I tried to google my problem but I don´t even know exactly how to ask my question: When the user performs one specific event on my site I would like to call this function, which increases the credit of an other user in a mysql database:

function incrasecredit(){
   $.ajax({
     type: "POST",
     url: "/increasecredit.php",
     data: {},
     success: function(html) {
     }
    }); 
   }

...easy. The problem is (as the script name indicates) that this event is connected to a "credit-system" / money. So I guess it should be secure. "/increasecredit.php" should not be accessed by the user in any other way. E.g. simply by executing it via the browser. Only in this special case when I call it in my jquery script. To be more precise when the user clicks on an iframe, incrasecredit() should be executed. And ONLY in this case. How can I protect this script from beeing executed in a wrong way? I tried to solve it with tokens but didn´t figure it out, yet. I have the feeling I don´t get the bigger picture. Thanks in advance.

tyler
  • 424
  • 4
  • 16
  • 4
    are you using some form of user authentication? i think a better way to do this is to do the checks in the increasecredit.php script, since ajax requests (as well as any other kind of frontend validation) can be simply "spoofed" – flynorc Dec 25 '16 at 20:09
  • Yes, user authentication is done by session. But how can I check if the user has permission to increase the credit value of an other user´s entry? – tyler Dec 25 '16 at 20:12
  • 1
    It's your own system; shouldn't *you* know? What are the constraints for the transaction? Is it in a user's interest to do this more often than they're supposed to? –  Dec 25 '16 at 20:15
  • Yes, it is in the user´s interest to do this more often, indeed. Eg. if he has a second fake account and is trying to increase the credits of the other account by calling the php script. I guess I can limit the amount of requests quiet easily but what about the first (wrong) request? I´m confused. – tyler Dec 25 '16 at 20:18
  • 1
    So this is actually about detecting fake accounts, a completely separate issue? You can compare IP addresses, and browser fingerprints. –  Dec 25 '16 at 20:23

1 Answers1

3

You should implement CSRF tokens on your page, to check that a request has originated from your website via a legitimate mechanism. This boils down to having a one use only token be passed with the POST request that needs to match a token stored against a user session cookie. This token should also automatically expire after some time.

In addition, the backend should implement some kind of ACL to authorise the transaction. The role of the user can be checked via session for an authenticated user.

AndFisher
  • 633
  • 1
  • 5
  • 18
  • Okay, this already helped me a lot. Even though didn´t got it 100%. Let me get this straight: I create a token when the session is created which is stored in the user session. When I perform my ajax call I send my token as well. The php checks if the token which was sent is equal with the token in the session? Like so: xhr.setRequestHeader('X-CSRF-Token', getCSRFTokenValue()); So the php knows if the request comes from the site. One question: Other sources indicated that sending the token with the header is not safe? – tyler Dec 25 '16 at 22:32
  • this also helped: http://stackoverflow.com/a/10336360/1352320 – tyler Dec 25 '16 at 22:43