4

I was hoping to clear up some questions I have been having with AJAX security. So here is a scenario I am trying to wrap my head around.

Lets say I am using AJAX to request some semi-sensitive material to the page. For instance, I am going to pass the user's ID to a php file, and return some information about themselves. Now, what is keeping someone from emulating this Javascript request, and passing different ID's to the PHP script?

  • Is there anything the server does to keep this from happening?
  • Does the DOM recognize Javascript which was 'originally' in place,
    or written by the server, as opposed to client side Javascript?
  • What are some more security issues when using AJAX to request sensitive material?
  • I am using suPHP, does this have any affect in situations like this?
grep
  • 3,986
  • 7
  • 45
  • 67
  • I'm pretty sure `AJAX` can't go cross-domain to access a `PHP` file. – Phil Aug 10 '11 at 18:46
  • You can workaround this by writing php script which performs cross-domain stuff and gives it to AJAX – Im0rtality Aug 10 '11 at 18:48
  • Is this what I have been reading here? http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_XMLHttpRequest – grep Aug 10 '11 at 18:48

2 Answers2

10

An Ajax call is exactly identical to any other HTTP request that you make except that it's asynchronous (it doesn't reload the web browser). So you should be using whatever authentication you currently employ on your web site.

This could either be Windows integrated security, cookies, etc. Basically your PHP script just has to verify that the request is coming from a valid user of your application.

tskuzzy
  • 35,812
  • 14
  • 73
  • 140
  • And if it is a valid user of the application, yet they are trying to fake the request to get another users information..? At this point SESSION checking seems pointless, as it is a valid user, trying to exploit the application. – grep Aug 10 '11 at 19:02
  • Just give them an access denied if they try to access another user's data. Your script should know what user is making the request (this is the authentication) as well as what information they are requesting. – tskuzzy Aug 10 '11 at 19:05
2

AJAX is inherently un-securable. You cannot both make a resource available for remote usage AND keep it completely secure. There is no 100% reliable method for identifying if a request came in from your client-side javascript or if it's someone faking the request.

At most, you can make it harder/more tedious to do such faking.

Marc B
  • 356,200
  • 43
  • 426
  • 500
  • So if the requests are only able to happen after a user is logged in, should I resort to a SESSION check before any AJAX requested PHP file is outputted? and Just terminate the script if so? – grep Aug 10 '11 at 18:50
  • "There is no 100% reliable method for identifying if a request came in from your client-side javascript or if it's someone faking the request." - Sure there is. The browser will send all cookies with the Ajax request, and on the PHP side you have access to the user's $_SESSION, so you require normal authentication just like you would on any other page. – AndrewR Aug 10 '11 at 18:54
  • @andrewr: nothing says the user can't fake their own request, or their session token get stolen, or an ajax request be fired off via CSRF. – Marc B Aug 10 '11 at 19:02
  • If you know what the cookie string is, you can send it along with a spoofed request. A cookie is just a specially-formed request header. – Nick Husher Aug 10 '11 at 19:04
  • 2
    @Marc B: AJAX is exactly as securable as HTTP is. Any security you can apply to an HTTP request, you can similarly apply to an AJAX request. There are (HTTP-based) web applications out there broadly considered secure, so it would follow that you could build an AJAX application that is also broadly considered secure. – Nick Husher Aug 10 '11 at 19:06