0

I have $.post jquery code to sumbit my form in client side. When I execute custom jquery on chrome console the server work properly. I think it is not secure because any one can write jquery on their console and access to my site. How to prevent this problem? Is there any way to know whether the request is from my website or not on server side? I found similar question in SO Prevent fake looping ajax requests to PHP, but I do not understand how to overcome my problem.

Nyein Chan
  • 1,215
  • 2
  • 17
  • 32
  • It sounds like you have some major misconceptions about how web requests work. You should give this a read: https://learn.userfrosting.com/background/the-client-server-conversation – alexw Jun 21 '17 at 01:42
  • Never trust any input. Verify (is it a logged in user), Validate (does the data adhere to what you expect), and Rate Limit (only allow a limit number of request in a period) – Dijkgraaf Jun 21 '17 at 01:43
  • Your server-side application should be designed such that it _doesn't matter_ where the request comes from. – alexw Jun 21 '17 at 01:44
  • @alexw How can I design my server-side to prevent such problem? I already validate all request data and whether a user is logged in or not. – Nyein Chan Jun 21 '17 at 01:47
  • @NyeinChan: If you already validate the request, then what is actually the problem? If the user submits an invalid request, respond with an error. If the user submits a valid request, respond with a valid response. What more do you want to do? – David Jun 21 '17 at 01:49
  • @NyeinChan if you're doing all of that, then the only situation when it makes a difference where the request comes from would be a social engineering attack on your users, such as a [cross site request forgery](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)#How_does_the_attack_work.3F). All major frameworks offer some kind of CSRF mitigation system. – alexw Jun 21 '17 at 01:51
  • @David Sorry about that, this may be my English language problem. The question I want to ask is when I create a jquery in console with all valid data such as post_id, posted_time with custom json. So there is no problem in validation stage. The data is saved to database. – Nyein Chan Jun 21 '17 at 01:52
  • 1
    @NyeinChan: Ok, then what's your question? When a user submits a valid request, it is saved to the database. Why is that bad? – David Jun 21 '17 at 01:53
  • @David If the user submit such request for about 10000 times via looping in jquery or something. That's my problem. – Nyein Chan Jun 21 '17 at 01:54
  • 1
    @NyeinChan: If submitting many requests in a short period of time is invalid then it sounds like the server isn't performing all of the validation you want it to. Maybe what you want is a captcha or something like that? Maybe you want to add more validation logic to the server-side code when handling the request? What you need to determine is specifically what you want to prevent, and then take steps to prevent it. Trying to prevent users from using their web browser's debugging tools is not one of those steps. – David Jun 21 '17 at 01:58
  • @David Is there any way to put an authentication token in request? I mean a request with such key can only be access to my website. But I think this key should be random or something that nobody can guess except my server-side. If it is a proper way, how can I achieve? – Nyein Chan Jun 21 '17 at 02:01
  • 1
    @NyeinChan Google the terms "rate-limiting" and "throttling". This has nothing to do with jQuery - there are many ways that someone could submit a large number of requests in a short period of time. See https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks and https://www.owasp.org/index.php/Denial_of_Service – alexw Jun 21 '17 at 02:02
  • @NyeinChan: Do you mean a CSRF token? https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention That can prevent request forgery, but users can still just make requests to your site to *get* each token and include it in their automated requests. A captcha would at least require the a user intervene in each request. – David Jun 21 '17 at 02:06
  • If you have more questions about web application security, we can talk in my chat, https://chat.userfrosting.com. – alexw Jun 21 '17 at 02:06

2 Answers2

2

The CSRF Token idea it's the common way to solve your concern. Creating a cripted code with some important information that you can validate the code is a way to start, plus adding an UID (and requiring on the server side the presence of $_POST['uid'] too, that basically the timestamp when the current request is sent.

It's useless to concern about the browser's console, the main concern is how well built your server side is, just that. Never a client side must have big permissions into your system and the filters to pass must be well defined.

Per example, if the function/routine called needs some parameters too, check the presence of those parameters in your $_POST, force types, when you forcing scope you turns bad requests more difficult because the bad guy needs to know well about your business rules and, plus the security tips ahead, it's a good start.

capcj
  • 1,535
  • 1
  • 16
  • 23
  • How can I put such parameter to my request? Now I am using some static key to form submit request. I want that key to dynamic and understand only my server-side script. – Nyein Chan Jun 21 '17 at 02:28
  • Some uses a specific algorithm to generate an UID (I strongly recommend this approach): https://stackoverflow.com/questions/6248666/how-to-generate-short-uid-like-ax4j9z-in-js#6248722 Others just do what I said: uses javascript current timestamp Date.now(); – capcj Jun 21 '17 at 02:31
  • You edited, to your edit my answer: when you generate your html form, just bring from the server side the CSRF Token already generated (input hidden etc) and take him with javascript to send into your ajax, validating into your server side before you do any routine. – capcj Jun 21 '17 at 02:34
  • The CSRF Token are validating on each request to your view so it is just can be "understand" by your server. Anyway, did you downvote my answer @NyeinChan? – duong khang Jun 21 '17 at 02:37
  • @duongkhang Your initial answer helped me to bring my answer faster. Btw, code obfuscation can lead to some problems, I prefer to minify them, also, if Nyein needs performance, code obfuscation has cache issues too. https://stackoverflow.com/questions/194397/how-can-i-obfuscate-protect-javascript – capcj Jun 21 '17 at 02:41
  • @calexandre I agreed that Nyein should minify the code make the code harder to read. IMO, Nyein should validate his request on server by CSRF or something built by him self – duong khang Jun 21 '17 at 02:48
1

If you want you can take a look on CSRF Token which will submit along with the form to check if this request is comming from our website.

Another way, you can obfuscate your JS code to prevent people reach to the "orginal code" and compromise it. Anyway, you just can use things like token and obfuscate to prevent people make "bad things" to your server, you can not stop them if they want to hack your server so just protect it as best as you can

duong khang
  • 342
  • 1
  • 4
  • 19