Jump to content

Recommended Posts

Dear fellow phpfreaka's and freakys,

 

I just saw a nice post on the phpcoding help forum with some ajax in it. Since I am a complete novice on Ajax, but eager to learn it please let me know if there are things i should pay attention to security wise ;)

 

For instance the following code:

//Gets the browser specific XmlHttpRequest Object
function getXmlHttpRequestObject() {
   if (window.XMLHttpRequest) {
      return new XMLHttpRequest();
   } else if(window.ActiveXObject) {
      return new ActiveXObject("Microsoft.XMLHTTP");
   } else {
      alert("Your Browser Sucks!\nIt's about time to upgrade don't you think?");
   }
}

//Our XmlHttpRequest object to get the auto suggest
var searchReq = getXmlHttpRequestObject();

//Called from keyup on the search textbox.
//Starts the AJAX request.
function writeText(nameValue) {
   if (searchReq.readyState == 4 || searchReq.readyState == 0) {
      searchReq.open("GET", 'getText.php?name=' + nameValue, true);
      searchReq.onreadystatechange = handleResponse;
      searchReq.send(null);
   }      
}
//Called when the AJAX response is returned.
function handleResponse() {
   if (searchReq.readyState == 4) {
      var str = searchReq.responseText;
      document.getElementById('textValue').innerHTML = str;
   }
}

 

For instnace, are those return objects save? I mean isn't it possible to spoof them or anything. I really have no idea and I am scared to death to output anything without validating. If someone knows or maybe has some stuff to really take a look at to make ajax secure (if it wasn't allready, but that i don't know) please let me know.

 

The code I gave was from this post by freeloader:

http://www.phpfreaks.com/forums/index.php/topic,309154.0.html

 

thanks in advance! ;)

Link to comment
https://forums.phpfreaks.com/topic/212619-ajax-and-security/
Share on other sites

You can always spoof client side information, but usually AJAX is meant for an asynchronous connection with a server-side script, which you can't spoof.  Well, by "can't spoof" I mean your security is such that you have *specific* GET and POST variables (and values) you are looking for.

 

What exactly is it that you're worried about?

 

 

Link to comment
https://forums.phpfreaks.com/topic/212619-ajax-and-security/#findComment-1107642
Share on other sites

Well I am afraid if I validated everything properly in the .php-functionality-file which ajax calls the stuff has to be validated again in ajax before returned to the orginal page. so to make it more visible. see the image below ; )

 

zoayhj.png

 

I have given numbers to the steps.

1) user input triggers AJAX and requests functionality.php to act. This userinput gets validated by functionality.php itself.

2) validated request reached MySQL

3) MySQL returns data to functionality.php where php validates it again on output.

4) functionality.php returns data to ajax.

 

My question is mainly about step 4. Does ajax again needs to validate the output from functionality.php or is it safe this way?

 

Link to comment
https://forums.phpfreaks.com/topic/212619-ajax-and-security/#findComment-1107653
Share on other sites

Validating output from an AJAX request would just make a complete circle of validation... in other words.. it's redundant.

 

If you're AJAX information is already being validated again by a server-side script, then there's no reason to validate it again with a client side script.  The only thing you could possibly be worried about at this point is some one re-routing where the data goes; and just to elaborate on that, I mean someone could *only* route the data to the current page.  So if your AJAX says to route the output to #results, theoretically, someone could re-route it to go to #somethingElse; but it would only last until they refreshed the page.

Link to comment
https://forums.phpfreaks.com/topic/212619-ajax-and-security/#findComment-1107674
Share on other sites

That was initially what I was thinking too and hoping too. At least for the first (validating)part of your reply. The second part I not yet quite understand, but perhaps tomorrow I will understand it better with rebooted brains ;). I am not really familiar yet with the advanced hacking techniques  :D But  is the following what you mean? :

To use my visual thing. Someone is theoretically able to reroute the output that would normally go to index.php. to somewhere else or another domain? If that is the case I don't yet see what sneaky stuff one could do, but I bet it's  cool :)

 

Thx a lot Zanos really appreciate it

Link to comment
https://forums.phpfreaks.com/topic/212619-ajax-and-security/#findComment-1107685
Share on other sites

No, they cannot re-route the data to another domain, only to the current page.  Say for instance you have the results routed to a DIV located at the bottom of the page, theoretically, someone could have the data go to the top of the page; that's about it..  But they can only do it live; meaning, once they refresh it's all ...... refreshed.

Link to comment
https://forums.phpfreaks.com/topic/212619-ajax-and-security/#findComment-1107692
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.