0

iam using ajax for sending requests to one of my php pages in the site... but i do this from my html page. This is secure....

But what if others know my php page and they send ajax requests to that page from their script? This may cause any security problems.

How can i avoid this ?

SLaks
  • 868,454
  • 176
  • 1,908
  • 1,964
shasi kanth
  • 6,987
  • 24
  • 106
  • 158
  • 1
    What are you afraid that the attacker will do? – SLaks Jan 31 '11 at 13:45
  • Iam afraid that he might view my source code, and so he can know where iam sending the ajax request, and what parameters iam passing to that page. So now he can pass some parameters to my page via GET or POST, and perform some illegal operations, like INSERT, UPDATE, DELETE. – shasi kanth Feb 01 '11 at 05:38

3 Answers3

3

You seem to be trying to defend against CSRF attacks.

You can include a nonce in your page, then require that all AJAX requests have that nonce.
Since the attacker is on a different domain, he will have no way of getting the nonce.

SLaks
  • 868,454
  • 176
  • 1,908
  • 1,964
  • Is he on about CSRF? or could he be talking about bots sending fake data to his PHP receivers ? +1 though – RobertPitt Jan 31 '11 at 13:50
  • @Robert: I'm not sure; I asked him to clarify. – SLaks Jan 31 '11 at 13:52
  • +1, and the bots issue can actually be tackled with this as well. If you make the app produce the final nonce in javascript, most of the bots won't be able to process it, as they don't parse javascript. This however should not be user on its own because it can of course be bypassed, just good practice to employ in certain applications. – cyber-guard Jan 31 '11 at 21:02
1

The only way they can send AJAX requests to your page is if they are on the same domain (ie. their script would have to be hosted on your domain).

AJAX won't work cross-domain, so it's quite secure.

xil3
  • 16,305
  • 8
  • 63
  • 97
  • Yea but most other languages can :/ – RobertPitt Jan 31 '11 at 13:43
  • Well yea, I could just do a `file_get_contents("http://his.url")`, but I thought this was an AJAX question. – xil3 Jan 31 '11 at 13:46
  • You can easily request pages from an other server using php (http://php.net/manual/fr/function.file-get-contents.php). Then a bit of reverse engineering and you know what type of data each url param should have. This way you can fetch everything the php page can provide. (I'm just pointing a flaw/exploit, i don't know the right method of doing ajax to avoid that kind of vunerability) – JF Dion Jan 31 '11 at 13:47
  • Yeah, I know this. I just wrote that. But the question was about AJAX requests specifically. There are infinite ways around this, though. – xil3 Jan 31 '11 at 13:50
  • Yea but I can build a script to make the site think I am an Ajax call, but really im just submitting my weblink over 50,000 times. if you know what I mean – RobertPitt Jan 31 '11 at 13:52
  • I put a validation in my ajax page like: if(isset($_POST['queryString'])) { // logic } else echo 'Invalid request'; Then i tried: file_get_contents("http://my_site.com/ajax_page.php") I only got the message: 'Invalid request'. Hope this does the trick. – shasi kanth Feb 01 '11 at 06:24
1

There is very little you can do to stop this, the only think that can help prevent this is by having a good application architecture.

For example, the following rules will help:

  • Try and keep your Ajax down to read only.
  • If you have to use Ajax to write then you should follow these rules
    • Only allow users that are logged in to submit data
    • Validate Validate & Validate your post data, Make sure its exactly as you expect it
    • Implement a form hashing technique that generates a unique hash for every form on every page, and validate against a variable within the session Aka (Nonce)
    • If the user is logged in make sure there's a validation period, such as "You must wait 30 seconds before posting".
    • Always use session_regenerate_id() before you call session_start

These are just a few pointers that should get you on your way, when researching these you will come across other techniques used by other site owners but you should always remember the following 2 rules.

  • Never trust your users, just act like you do
  • Whitelist and never blacklist.
Community
  • 1
  • 1
RobertPitt
  • 56,863
  • 21
  • 114
  • 161