0

In my browser extension I'm doing an Ajax request like this

$.ajax({
    type: 'POST',
    url: 'https://example.com/queryDatabase.php',
    data: {id: someID, data: "some data"}
}).done(function (resp) {
    console.log(resp);
});

Now everyone could inspect the source code and make a request with their own data.

How do I authorize only requests coming from my extension and reject all others?

EDIT:

I'm posting the solution I came up with in an edit because someone closed the question although there wasn't an exact answer in the other post.

So what I did was moving the ajax request to a php file on my server and then programmatically inject it with an <iframe> when needed. This way you can indeed use the CSRF token method to secure the call like shown in this answer for example.

Be aware that you can't use the extension API from the php file so you'll need to inject a content script in it to be able to exchange messages with the iframe, so you can get data from the API in the content script and pass them with a message (you can even do the request at your will by listening for a message and executing the call only when the message arrives).

diridev
  • 75
  • 7
  • @jeprubio I don't get it. Even if I generate a token can't everyone just make a request to get the token and attach it to his request? – diridev Mar 05 '20 at 00:04
  • @jeprubio what I understand is that I have to first make a request to the server to get the token and then attach that token to the second request. If that's the case I really don't get how can't someone just do the same thing once they know the endpoints by inspecting the code. Could you do an example please? – diridev Mar 05 '20 at 09:45
  • @jeprubio I meant the attacker could do an ajax request at my endpoints maybe in an extension of his, not simply browsing my website. About the second method, correct me if I'm wrong, the javascript code that generates the token on the user end can be seen by inspecting the code, so what's stopping the attacker to use it to generate his token? – diridev Mar 05 '20 at 10:39
  • @jeprubio I'm doing an Ajax request from my browser extension to the php file on my website, I'm never browsing the website myself. – diridev Mar 05 '20 at 10:58
  • @jeprubio I think you mean to do something like [this](https://stackoverflow.com/questions/21885257/what-are-the-ways-to-secure-an-ajax-request) but as I said I'm making the Ajax request from a browser extension and not from the php page itself. So the client is never loading the page inside their browser. – diridev Mar 05 '20 at 13:20
  • @jeprubio what should I use captcha for? I think they are talking about avoiding a brute force loop of requests which is not what I asked. I need a way to reject all requests not coming from my extension. – diridev Mar 05 '20 at 14:31

0 Answers0