fortnox007 Posted September 5, 2010 Share Posted September 5, 2010 Dear fellow phpfreaka's and freakys, I just saw a nice post on the phpcoding help forum with some ajax in it. Since I am a complete novice on Ajax, but eager to learn it please let me know if there are things i should pay attention to security wise For instance the following code: //Gets the browser specific XmlHttpRequest Object function getXmlHttpRequestObject() { if (window.XMLHttpRequest) { return new XMLHttpRequest(); } else if(window.ActiveXObject) { return new ActiveXObject("Microsoft.XMLHTTP"); } else { alert("Your Browser Sucks!\nIt's about time to upgrade don't you think?"); } } //Our XmlHttpRequest object to get the auto suggest var searchReq = getXmlHttpRequestObject(); //Called from keyup on the search textbox. //Starts the AJAX request. function writeText(nameValue) { if (searchReq.readyState == 4 || searchReq.readyState == 0) { searchReq.open("GET", 'getText.php?name=' + nameValue, true); searchReq.onreadystatechange = handleResponse; searchReq.send(null); } } //Called when the AJAX response is returned. function handleResponse() { if (searchReq.readyState == 4) { var str = searchReq.responseText; document.getElementById('textValue').innerHTML = str; } } For instnace, are those return objects save? I mean isn't it possible to spoof them or anything. I really have no idea and I am scared to death to output anything without validating. If someone knows or maybe has some stuff to really take a look at to make ajax secure (if it wasn't allready, but that i don't know) please let me know. The code I gave was from this post by freeloader: http://www.phpfreaks.com/forums/index.php/topic,309154.0.html thanks in advance! Quote Link to comment https://forums.phpfreaks.com/topic/212619-ajax-and-security/ Share on other sites More sharing options...
Zane Posted September 5, 2010 Share Posted September 5, 2010 You can always spoof client side information, but usually AJAX is meant for an asynchronous connection with a server-side script, which you can't spoof. Well, by "can't spoof" I mean your security is such that you have *specific* GET and POST variables (and values) you are looking for. What exactly is it that you're worried about? Quote Link to comment https://forums.phpfreaks.com/topic/212619-ajax-and-security/#findComment-1107642 Share on other sites More sharing options...
fortnox007 Posted September 5, 2010 Author Share Posted September 5, 2010 Well I am afraid if I validated everything properly in the .php-functionality-file which ajax calls the stuff has to be validated again in ajax before returned to the orginal page. so to make it more visible. see the image below ; ) I have given numbers to the steps. 1) user input triggers AJAX and requests functionality.php to act. This userinput gets validated by functionality.php itself. 2) validated request reached MySQL 3) MySQL returns data to functionality.php where php validates it again on output. 4) functionality.php returns data to ajax. My question is mainly about step 4. Does ajax again needs to validate the output from functionality.php or is it safe this way? Quote Link to comment https://forums.phpfreaks.com/topic/212619-ajax-and-security/#findComment-1107653 Share on other sites More sharing options...
Zane Posted September 6, 2010 Share Posted September 6, 2010 Validating output from an AJAX request would just make a complete circle of validation... in other words.. it's redundant. If you're AJAX information is already being validated again by a server-side script, then there's no reason to validate it again with a client side script. The only thing you could possibly be worried about at this point is some one re-routing where the data goes; and just to elaborate on that, I mean someone could *only* route the data to the current page. So if your AJAX says to route the output to #results, theoretically, someone could re-route it to go to #somethingElse; but it would only last until they refreshed the page. Quote Link to comment https://forums.phpfreaks.com/topic/212619-ajax-and-security/#findComment-1107674 Share on other sites More sharing options...
fortnox007 Posted September 6, 2010 Author Share Posted September 6, 2010 That was initially what I was thinking too and hoping too. At least for the first (validating)part of your reply. The second part I not yet quite understand, but perhaps tomorrow I will understand it better with rebooted brains . I am not really familiar yet with the advanced hacking techniques But is the following what you mean? : To use my visual thing. Someone is theoretically able to reroute the output that would normally go to index.php. to somewhere else or another domain? If that is the case I don't yet see what sneaky stuff one could do, but I bet it's cool Thx a lot Zanos really appreciate it Quote Link to comment https://forums.phpfreaks.com/topic/212619-ajax-and-security/#findComment-1107685 Share on other sites More sharing options...
Zane Posted September 6, 2010 Share Posted September 6, 2010 No, they cannot re-route the data to another domain, only to the current page. Say for instance you have the results routed to a DIV located at the bottom of the page, theoretically, someone could have the data go to the top of the page; that's about it.. But they can only do it live; meaning, once they refresh it's all ...... refreshed. Quote Link to comment https://forums.phpfreaks.com/topic/212619-ajax-and-security/#findComment-1107692 Share on other sites More sharing options...
fortnox007 Posted September 6, 2010 Author Share Posted September 6, 2010 Ah I see what you mean. That doesn't seem like a very risky thing than. but maybe because I am still a novice Thanks a lot for the help! Quote Link to comment https://forums.phpfreaks.com/topic/212619-ajax-and-security/#findComment-1107696 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.