how to make ajax secured

JavaScript and client side scripting.

Moderator: General Moderators

User avatar
zyklone
Forum Commoner
Posts: 29
Joined: Tue Nov 28, 2006 10:25 pm

how to make ajax secured

Post by zyklone »

could anyone here give me tips on how to secure my ajax application.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

You need to provide more information. Are there certain vulnerabilities you are already aware of or are you looking for information reguarding ajax security in general?
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

I haven't done much with Ajax but I think the principles of secure design as apply to "normal" php programming still apply. The thing to remember is that the client-side part (javascript) of ajax can be turned off at any time. So hackers can and will always be able to send requests directly to the server. So I think that as long as your server side code is as secure as can be, it doesn't matter if a request comes in a traditional way or via some fancy ajax script.

But then again, I haven't worked with ajax yet so if someone has some secret methods to add security layers to ajax I'd be happy to hear more about that.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

Nope... that's about it... all ajax does is allow javascript to work with your backend, so like you said... secure your backend and you're golden.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

matthijs wrote:I haven't done much with Ajax but I think the principles of secure design as apply to "normal" php programming still apply. The thing to remember is that the client-side part (javascript) of ajax can be turned off at any time. So hackers can and will always be able to send requests directly to the server. So I think that as long as your server side code is as secure as can be, it doesn't matter if a request comes in a traditional way or via some fancy ajax script.

But then again, I haven't worked with ajax yet so if someone has some secret methods to add security layers to ajax I'd be happy to hear more about that.
Considering all requests end up server side, thats where your main protection should fall. I'm not well versed in ajax so I can't speak as an expert, but it shouldn't matter if they have javascripts turned off (for security purposes) because all requests end up in the same place regardless of how there called.

Just make sure you sanitize your input, and htmlentities() your output.
User avatar
neel_basu
Forum Contributor
Posts: 454
Joined: Wed Dec 06, 2006 9:33 am
Location: Picnic Garden, Kolkata, India

Post by neel_basu »

You Can Make Your php secure From Other AJAX Scripts.
You Can Use

Code: Select all

$_SERVER[HTTP_REFERER]
In Your php Script To Validate Which AJAX Is Making The HTTP Request.
Is It Yours Or Others.
Then

Code: Select all

<?php
  $req = $_SERVER[HTTP_REFERER];
  if(strstr($req, "yourdomain.com"))
    {
      //Go On
    }
  else
    {
      //Stop
    }
?>
Let This Check If The REFERER Is From Your Site Trust It And Go On
Else Stop
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Referrer information is not guaranteed to be in a request to the page. In fact there are many systems which will actively remove that from a request before sending it on to the destination.
User avatar
neel_basu
Forum Contributor
Posts: 454
Joined: Wed Dec 06, 2006 9:33 am
Location: Picnic Garden, Kolkata, India

Post by neel_basu »

feyd wrote:In fact there are many systems which will actively remove that from a request before sending it on to the destination.
I didn't Understand What You Told
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

For example... there are routers that will strip referral information from the request headers before passing the request on to other servers.
User avatar
neel_basu
Forum Contributor
Posts: 454
Joined: Wed Dec 06, 2006 9:33 am
Location: Picnic Garden, Kolkata, India

Post by neel_basu »

neel_basu wrote:
feyd wrote:In fact there are many systems which will actively remove that from a request before sending it on to the destination.
I didn't Understand What You Told
What did You Mean By System OS Or Browser ??
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Both. There are many that will actively deny the referral header.
User avatar
neel_basu
Forum Contributor
Posts: 454
Joined: Wed Dec 06, 2006 9:33 am
Location: Picnic Garden, Kolkata, India

Post by neel_basu »

But Still Now I Didn't Face This Problem at all In Microsoft Windows
With Browser IE,Mozila Firefox,and Opera
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Post by nickvd »

Search google for "refspoof" it's a firefox extension that will allow me to send any referrer address i want to the server...
User avatar
zyklone
Forum Commoner
Posts: 29
Joined: Tue Nov 28, 2006 10:25 pm

Post by zyklone »

so is that HTTP secured to use?
Jeroen Oosterlaar
Forum Commoner
Posts: 37
Joined: Sun Nov 06, 2005 4:12 pm

Post by Jeroen Oosterlaar »

neel_basu wrote:You Can Make Your php secure From Other AJAX Scripts.
You Can Use

Code: Select all

$_SERVER[HTTP_REFERER]
In Your php Script To Validate Which AJAX Is Making The HTTP Request.
Is It Yours Or Others.
Then

Code: Select all

<?php
  $req = $_SERVER[HTTP_REFERER];
  if(strstr($req, "yourdomain.com"))
    {
      //Go On
    }
  else
    {
      //Stop
    }
?>
Let This Check If The REFERER Is From Your Site Trust It And Go On
Else Stop
I do not agree with this solution. First, you can never be sure that the referrer header is specified by the browser. Second, it is easy to customize the referrer header to fake that the request is from the valid source. Instead, it is better to validate the input within the script that receives the AJAX requests, as if you would validate it, when it was directly requested when, for example, a user would submit the form. This is good practice because, basically, there is no difference between AJAX request and traditional requests.
Post Reply