Page 1 of 2

how to make ajax secured

Posted: Tue Nov 28, 2006 10:41 pm
by zyklone
could anyone here give me tips on how to secure my ajax application.

Posted: Wed Nov 29, 2006 10:05 am
by Luke
You need to provide more information. Are there certain vulnerabilities you are already aware of or are you looking for information reguarding ajax security in general?

Posted: Wed Nov 29, 2006 10:52 am
by matthijs
I haven't done much with Ajax but I think the principles of secure design as apply to "normal" php programming still apply. The thing to remember is that the client-side part (javascript) of ajax can be turned off at any time. So hackers can and will always be able to send requests directly to the server. So I think that as long as your server side code is as secure as can be, it doesn't matter if a request comes in a traditional way or via some fancy ajax script.

But then again, I haven't worked with ajax yet so if someone has some secret methods to add security layers to ajax I'd be happy to hear more about that.

Posted: Wed Nov 29, 2006 10:53 am
by Luke
Nope... that's about it... all ajax does is allow javascript to work with your backend, so like you said... secure your backend and you're golden.

Posted: Wed Nov 29, 2006 10:55 am
by John Cartwright
matthijs wrote:I haven't done much with Ajax but I think the principles of secure design as apply to "normal" php programming still apply. The thing to remember is that the client-side part (javascript) of ajax can be turned off at any time. So hackers can and will always be able to send requests directly to the server. So I think that as long as your server side code is as secure as can be, it doesn't matter if a request comes in a traditional way or via some fancy ajax script.

But then again, I haven't worked with ajax yet so if someone has some secret methods to add security layers to ajax I'd be happy to hear more about that.
Considering all requests end up server side, thats where your main protection should fall. I'm not well versed in ajax so I can't speak as an expert, but it shouldn't matter if they have javascripts turned off (for security purposes) because all requests end up in the same place regardless of how there called.

Just make sure you sanitize your input, and htmlentities() your output.

Posted: Sat Dec 09, 2006 7:18 am
by neel_basu
You Can Make Your php secure From Other AJAX Scripts.
You Can Use

Code: Select all

$_SERVER[HTTP_REFERER]
In Your php Script To Validate Which AJAX Is Making The HTTP Request.
Is It Yours Or Others.
Then

Code: Select all

<?php
  $req = $_SERVER[HTTP_REFERER];
  if(strstr($req, "yourdomain.com"))
    {
      //Go On
    }
  else
    {
      //Stop
    }
?>
Let This Check If The REFERER Is From Your Site Trust It And Go On
Else Stop

Posted: Sat Dec 09, 2006 7:31 am
by feyd
Referrer information is not guaranteed to be in a request to the page. In fact there are many systems which will actively remove that from a request before sending it on to the destination.

Posted: Sat Dec 09, 2006 7:40 am
by neel_basu
feyd wrote:In fact there are many systems which will actively remove that from a request before sending it on to the destination.
I didn't Understand What You Told

Posted: Sat Dec 09, 2006 8:30 am
by feyd
For example... there are routers that will strip referral information from the request headers before passing the request on to other servers.

Posted: Sat Dec 09, 2006 8:37 am
by neel_basu
neel_basu wrote:
feyd wrote:In fact there are many systems which will actively remove that from a request before sending it on to the destination.
I didn't Understand What You Told
What did You Mean By System OS Or Browser ??

Posted: Sat Dec 09, 2006 9:19 am
by feyd
Both. There are many that will actively deny the referral header.

Posted: Sat Dec 09, 2006 9:45 am
by neel_basu
But Still Now I Didn't Face This Problem at all In Microsoft Windows
With Browser IE,Mozila Firefox,and Opera

Posted: Sat Dec 09, 2006 2:06 pm
by nickvd
Search google for "refspoof" it's a firefox extension that will allow me to send any referrer address i want to the server...

Posted: Thu Dec 14, 2006 11:23 pm
by zyklone
so is that HTTP secured to use?

Posted: Fri Dec 15, 2006 5:33 am
by Jeroen Oosterlaar
neel_basu wrote:You Can Make Your php secure From Other AJAX Scripts.
You Can Use

Code: Select all

$_SERVER[HTTP_REFERER]
In Your php Script To Validate Which AJAX Is Making The HTTP Request.
Is It Yours Or Others.
Then

Code: Select all

<?php
  $req = $_SERVER[HTTP_REFERER];
  if(strstr($req, "yourdomain.com"))
    {
      //Go On
    }
  else
    {
      //Stop
    }
?>
Let This Check If The REFERER Is From Your Site Trust It And Go On
Else Stop
I do not agree with this solution. First, you can never be sure that the referrer header is specified by the browser. Second, it is easy to customize the referrer header to fake that the request is from the valid source. Instead, it is better to validate the input within the script that receives the AJAX requests, as if you would validate it, when it was directly requested when, for example, a user would submit the form. This is good practice because, basically, there is no difference between AJAX request and traditional requests.