Jump to content

Spoof Jquery Request


PHPEnthusiast
Go to solution Solved by requinix,

Recommended Posts

Hello! So I have a new random question to ask. I have a script that relies on Jquery requests. I've read on a lot of websites that relying on Jquery requests isn't a good thing because it can be spoofed however while I was testing it on my localhost using Curl, it just showed me the default login page and that's it.

 

So the logic behind my "Only Jquery requests can read these files" is because I'm trying to prevent people from seeing the contents directly. I know that .htaccess can do this already, but I'm trying to prevent someone from accessing the actual file directly in case someone is snooping around for file names. This is so they can't execute any PHP codes. It also will trick them into thinking that the page they're on does not exist.

 

Here is my code for jquery_test.php

// Check to see if the request was made via Jquery or not
if(filter_input(INPUT_SERVER, 'HTTP_X_REQUESTED_WITH') === 'XMLHttpRequest') {
	// Request is from Jquery or Ajax. Put the actual codes in here.
} else {
	// Request was made directly to the file. Don't put any executable codes in here. If the user is not logged in, throw them the default login page; this can also be made an error 404 page with a login form to trick the user. If they are logged in, throw them a error 404 page.
}

Here is my Curl code. It's supposed to be simple.

$ch = curl_init("http://localhost/jquery_test.php");
$fp = fopen("curl_export.txt", "w");

curl_setopt($ch, CURLOPT_FILE, $fp);
curl_setopt($ch, CURLOPT_HEADER, 0);

curl_exec($ch);
curl_close($ch);
fclose($fp);

Here is what it exported.

<html>
<head>
<title>Login</title>
</head>
<body>
<h1>Login Page</h1>
<p>Hello, please login to view this page.</p>
<form action="action/login" method="POST">
    <input type="text" name="username">
    <input type="password" name="password">
    <input type="submit" name="submit">
</form>
</body>
</html>

Now, how are people spoofing Jquery requests when I tried to spoof my own, it just shows up the login page. This is exactly what my code was suppose to do.

  1. Check to see if request is made via Jquery or direct.
  2. If request was made via Jquery, load the codes and execute them to select appropriate tables.
  3. If request was made via direct access, check to see if the user is logged in first.
  4. If user is not logged in, throw them a login page.
  5. If the user is logged in, throw them a 404 page.
Edited by PHPEnthusiast
Link to comment
Share on other sites

As your jquery_test.php code shows, there needs to be an X-Requested-With HTTP header with the value "XMLHttpRequest".

 

Add a

curl_setopt($ch, CURLOPT_HTTPHEADER, array("X-Requested-With: XMLHttpRequest"));

Thank you for enlightening me. However, is it possible to reject Curl from accessing or does it act like a regular user?

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.