Jump to content

AJAX "Security"


kratsg

Recommended Posts

I have a form which allows a user to submit the data via AJAX. Is there anyway to verify that someone doesn't actually access the PHP page and submits their own data instead?

 

IE: Other than verifying the data is valid (in the PHP script) so that we can bar users from trying to access the PHP page?

Link to comment
Share on other sites

There are a few things I can think of:

 

1. Run your HTTP server on a system that is behind a firewall (and port 80 is blocked)

 

2. The next best thing I can suggest is to use sessions in your PHP code and force a user to be logged in before being able to access the form.  For example, you create a login page such as index.php.  This redirects to another page (possibly the one with your form) upon successful login.  In any case, any page you want to "protect" with this login feature (i.e. any page that is only supposed to be accessible after a successful login) should have the following code at the top:

 

<?php
session_start();
if(!isset($_SESSION['myusername']))
{
header("location:index.php");
}

 

If anyone attempts to view this page without a valid session they will be directed back to the login page named index.php.  For an unauthorized user to view a page like this, they would need to either break into an account or spoof a session.

 

 

3. I'm not sure what type of request you perform in your AJAX code to send the form data to your backend PHP script.  Is it a GET or a POST?  If it's a GET then it is very simple to create the string and append the values at the end of it using ? and & like this:

 

http://www.yourwebserver.com/foo.php?action=delete&target=all

 

You can type in a string like this directly into the URL bar of a browser and it will execute the GET request.  If you are using GET then you might consider changing it to a POST instead.  It is a little more difficult to send POST parameters, particularly in a browser.  You can pretty easily do it using examples on google and minimal knowledge of programming languages (Perl LWP comes to mind).  Again however, if your backend PHP script requires a session then executing the POST will not work unless the person has learned credentials for a legitimate account or can spoof a session somehow.

Link to comment
Share on other sites

1. Run your HTTP server on a system that is behind a firewall (and port 80 is blocked)

 

On the other hand a sledgehammer would do fine to.

 

Hey it could be a valid solution...kratsg never posted what this application was going to be used for.  Maybe it is something internal to his/her company, only to be accessed from the internal network.  If that is the case then a firewall solution would work just fine.  We do that sort of thing all the time (though to be fair, everything of value is password protected as well).

Link to comment
Share on other sites

Well, it is going to be online, and the AJAX submits via POST. I do like the session ideas... but let's assume we have a "valid user", they're allowed to be there.

 

How can stop that user from simply going to the PHP page and submitting the data (via POST, which isn't really hard to "fake")? Or we just.. can't?

 

Like, can we detect when a user visits a page versus when an AJAX request calls the page? (Something tells me we can't).

Link to comment
Share on other sites

You could try to set a custom header with some kind of encryption. I have no idea how you could manage this, because AJAX is essentially the same as accessing a page with the browser, except the application performs it and adds the information to the current DOM.

Link to comment
Share on other sites

You could try to set a custom header with some kind of encryption. I have no idea how you could manage this, because AJAX is essentially the same as accessing a page with the browser, except the application performs it and adds the information to the current DOM.

 

That's essentially my view. Does that mean there's no other security holes we open by switching from form submission to AJAX submission? I find that difficult to believe.

Link to comment
Share on other sites

Well, it is going to be online, and the AJAX submits via POST. I do like the session ideas... but let's assume we have a "valid user", they're allowed to be there.

 

How can stop that user from simply going to the PHP page and submitting the data (via POST, which isn't really hard to "fake")? Or we just.. can't?

 

Like, can we detect when a user visits a page versus when an AJAX request calls the page? (Something tells me we can't).

 

There are a few things you can do here.  You could add a field to your table that defines "admin" users.  This is exactly what I did with a simple application that I wrote:

 

mysql> describe members;
+----------+-------------+------+-----+---------+----------------+
| Field    | Type        | Null | Key | Default | Extra          |
+----------+-------------+------+-----+---------+----------------+
| id       | int(11)     | NO   | PRI | NULL    | auto_increment | 
| username | varchar(32) | NO   | UNI | NULL    |                | 
| password | varchar(64) | NO   |     | NULL    |                | 
| salt     | int(11)     | NO   |     | NULL    |                | 
| isadmin  | tinyint(4)  | YES  |     | NULL    |                | 
+----------+-------------+------+-----+---------+----------------+

 

Only admin users would have access to the page.  Therefore, when someone attempts to view that page, you first check if they have a valid session (which you have already done by adding the code I previously told you to add to the top of the page).  If so you pull out their username and then check the users table in your database to see if this user has admin access.  If so, you display the page, otherwise you just ignore the request and redirect them back to the main login page or whatever you want.

 

If you want to see exactly who has visited the page you could always write a log.  Everytime someone hits the page you take their username and append it to a file.  You could then employ the above logic to see whether or not you should display the form or redirect them elsewhere.  This way you see who hit the page...whether they were supposed to or not.

 

To make things even more difficult, when the form is submitted, you could check one last time to be sure that the user is valid and an admin.  If so, allow the action to proceed -- otherwise do nothing and redirect:

 

if ($action == "add" && $_SESSION['isadmin'] == 1)
{
...
}
else if ($action == "delete" && $_SESSION['isadmin'] == 1)
{
...
}

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.