PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Wed Jun 03, 2020 2:13 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Sun Jan 01, 2012 11:16 am 
Offline
Forum Contributor

Joined: Tue Feb 16, 2010 6:39 pm
Posts: 254
Let me start by saying that I'm self taught, and thus, while I consider myself a fairly advanced programmer, I'm fairly lacking in knowledge on security.

I'm developing a REST API that for now only processes and serves information if the request comes from the same domain as the server. I'd like to be able to limit any requests to this API to ones that come directly from programmed JavaScript, and prevent any requests that are run from, for instance, the console, or from JavaScript typed into the URL bar.

I've read about using tokens generated server-side, passing them as a JavaScript variable, and then sending them along with the AJAX request, but if I were really trying to abuse the system, I would just go into the page source, find where the variable is set, and then use that token in an abusive request.

What am I missing in this process? How can I truly ensure that a request is valid? Should I rethink my approach?

Thanks.


Top
 Profile  
 
PostPosted: Mon Jan 02, 2012 2:34 am 
Offline
Site Administrator
User avatar

Joined: Wed Aug 25, 2004 7:54 pm
Posts: 13592
Location: New York, NY, US
You can check if ($_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') to see if a request is and Ajax call. But neither that or the domain check are reliable security as those values can be spoofed.

_________________
(#10850)


Top
 Profile  
 
PostPosted: Mon Jan 02, 2012 10:27 am 
Offline
Forum Contributor

Joined: Tue Feb 16, 2010 6:39 pm
Posts: 254
So what is a good way to validate the authenticity of AJAX calls? Is there some "common practice" that I haven't found?


Top
 Profile  
 
PostPosted: Tue Jan 03, 2012 1:56 am 
Offline
Site Administrator
User avatar

Joined: Wed Aug 25, 2004 7:54 pm
Posts: 13592
Location: New York, NY, US
You can't -- so you need to validate, filter and escape all incoming data and data being displayed that is from a source that may contain untrusted data, such as a database.

_________________
(#10850)


Top
 Profile  
 
PostPosted: Tue Jan 03, 2012 4:36 am 
Offline
Moderator
User avatar

Joined: Mon Nov 03, 2003 7:13 pm
Posts: 5978
Location: Odessa, Ukraine
Security-wise you can not trust a code running in an environment you don't control (such as client's browser), regardless of the code origin. Treat that code as you would any other external client: if it obeys the rules and follows the protocol you shouldn't really deny it any access.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group