Ajax and security

[fortnox007]

Dear fellow phpfreaka's and freakys,

 

I just saw a nice post on the phpcoding help forum with some ajax in it. Since I am a complete novice on Ajax, but eager to learn it please let me know if there are things i should pay attention to security wise

 

For instance the following code:

//Gets the browser specific XmlHttpRequest Object
function getXmlHttpRequestObject() {
   if (window.XMLHttpRequest) {
      return new XMLHttpRequest();
   } else if(window.ActiveXObject) {
      return new ActiveXObject("Microsoft.XMLHTTP");
   } else {
      alert("Your Browser Sucks!\nIt's about time to upgrade don't you think?");
   }
}

//Our XmlHttpRequest object to get the auto suggest
var searchReq = getXmlHttpRequestObject();

//Called from keyup on the search textbox.
//Starts the AJAX request.
function writeText(nameValue) {
   if (searchReq.readyState == 4 || searchReq.readyState == 0) {
      searchReq.open("GET", 'getText.php?name=' + nameValue, true);
      searchReq.onreadystatechange = handleResponse;
      searchReq.send(null);
   }      
}
//Called when the AJAX response is returned.
function handleResponse() {
   if (searchReq.readyState == 4) {
      var str = searchReq.responseText;
      document.getElementById('textValue').innerHTML = str;
   }
}

 

For instnace, are those return objects save? I mean isn't it possible to spoof them or anything. I really have no idea and I am scared to death to output anything without validating. If someone knows or maybe has some stuff to really take a look at to make ajax secure (if it wasn't allready, but that i don't know) please let me know.

 

The code I gave was from this post by freeloader:

http://www.phpfreaks.com/forums/index.php/topic,309154.0.html

 

thanks in advance!

[Zane]

You can always spoof client side information, but usually AJAX is meant for an asynchronous connection with a server-side script, which you can't spoof.  Well, by "can't spoof" I mean your security is such that you have *specific* GET and POST variables (and values) you are looking for.

 

What exactly is it that you're worried about?

 

 

[fortnox007]

Well I am afraid if I validated everything properly in the .php-functionality-file which ajax calls the stuff has to be validated again in ajax before returned to the orginal page. so to make it more visible. see the image below ; )

 

 

I have given numbers to the steps.

1) user input triggers AJAX and requests functionality.php to act. This userinput gets validated by functionality.php itself.

2) validated request reached MySQL

3) MySQL returns data to functionality.php where php validates it again on output.

4) functionality.php returns data to ajax.

 

My question is mainly about step 4. Does ajax again needs to validate the output from functionality.php or is it safe this way?

 

[Zane]

Validating output from an AJAX request would just make a complete circle of validation... in other words.. it's redundant.

 

If you're AJAX information is already being validated again by a server-side script, then there's no reason to validate it again with a client side script.  The only thing you could possibly be worried about at this point is some one re-routing where the data goes; and just to elaborate on that, I mean someone could *only* route the data to the current page.  So if your AJAX says to route the output to #results, theoretically, someone could re-route it to go to #somethingElse; but it would only last until they refreshed the page.

[fortnox007]

That was initially what I was thinking too and hoping too. At least for the first (validating)part of your reply. The second part I not yet quite understand, but perhaps tomorrow I will understand it better with rebooted brains . I am not really familiar yet with the advanced hacking techniques  But  is the following what you mean? :

To use my visual thing. Someone is theoretically able to reroute the output that would normally go to index.php. to somewhere else or another domain? If that is the case I don't yet see what sneaky stuff one could do, but I bet it's  cool

 

Thx a lot Zanos really appreciate it

[Zane]

No, they cannot re-route the data to another domain, only to the current page.  Say for instance you have the results routed to a DIV located at the bottom of the page, theoretically, someone could have the data go to the top of the page; that's about it..  But they can only do it live; meaning, once they refresh it's all ...... refreshed.

[fortnox007]

Ah I see what you mean. That doesn't seem like a very risky thing than. but maybe because I am still a novice

Thanks a lot for the help!