Help with AJAX and security

[ttocskcaj]

Me and one other person have just started developing a forum package, it's the first time that either of us have really used AJAX, but we're both pretty good with PHP.

We're trying to work out the whole submitting a registration form using AJAX, we have the page

http://www.example.com/account/register

When the user visiter goes to this site they're presented with the registration form, as you'd expect.

When the form is submitted, AJAX does a POST request thing (Whatever you call it) to the same page, the script on this page checks to see if there's any post data and if there is, it validates it and sends it to the database etc.

 

The problem is, what is there to stop anyone from sending post data to this site and adding random users?

The same problem would occur if we were to add functions to delete and change users. Any hackers could send post data and delete users.

 

Are we doing something wrong, or is there something obvious we've missed? 

[Psycho]

The problem is, what is there to stop anyone from sending post data to this site and adding random users?

The same problem would occur if we were to add functions to delete and change users. Any hackers could send post data and delete users.

 

How is this any different than if you were not using AJAX? A user can create a script to POST data to your pages all they want. You still need to ensure that the data being submitted is valid and prevent unauthorized users from performing actions they shouldn't. Again, this has nothing to do with AJAX.

 

So, figure out how you would want to restrict/verify the functionality and implement that within your script. Plus, AJAX should (ideally) be built on top of code that would work without JavaScript enabled.

 

For example, if you only want to allow certain users to add a particular record you would probably want to implement several validations/checks:

 

1. If there was a link to access the "add record" page, then you would not display that link for unauthorized users

2. When the "add record" page is called you would validate the user again. If not authorized send to an error page, else display the add record form

3. Finally, on the page that accepts the POST data you would validate that the user is authorized to add the record before processing it.

 

Out of the above, #3 is the most important. So, on your AJAX enabled form, when POST data is received the script should validate that the user is authorized before processing the data. If not, send back an error code that you can display on the page.

[ttocskcaj]

I guess you're right about it not being different from normal.

It's all good to not link to these pages, but it won't take a hacker long to figure out how it works, especially since it's an open source project.

 

When you say authorized, do you mean check if there is a user session and the user is logged in etc?

How would you authorize a user that hasn't actually registered yet?

It's probably not likely, but someone could mess around and add random users to the database.

[dzelenika]

in my own quasi framework, every request, even ajax is proxied through index.php.

When visitor visits site session is generated, and user is tracked through every following request (ajax or normal page).

If you are careful enough, how can visitor add user to database?

[scootstah]

I guess you're right about it not being different from normal.

It's all good to not link to these pages, but it won't take a hacker long to figure out how it works, especially since it's an open source project.

 

When you say authorized, do you mean check if there is a user session and the user is logged in etc?

How would you authorize a user that hasn't actually registered yet?

It's probably not likely, but someone could mess around and add random users to the database.

 

Let's put it this way - if you can do it with a normal request, you can do it with AJAX. If you can't do it with a normal request, you can't do it with AJAX.

[m3bik]

The problem is, what is there to stop anyone from sending post data to this site and adding random users?

 

Isn't that why they have CAPTCHAs?

[Psycho]

When you say authorized, do you mean check if there is a user session and the user is logged in etc?

How would you authorize a user that hasn't actually registered yet?

It's probably not likely, but someone could mess around and add random users to the database.

 

"Authorized" is whatever YOU determine it means. If you have an open page for users to register, then you have an open page for users to register. The fact that you are using AJAX has absolutely no bearing on the issue - none. If with a "normal" form that is submitted a user can create scripts to POST any data they want as often as they want (without using your form).

 

So, let's forget about AJAX. If you want to prevent users from making multiple submissions you need to implement some sort of method to prevent it. As m3bik suggested, CAPTCHA is a pretty standard method to ensure that you at least have a human that is entering/submitting the form (or someone that has built a very good OCR cabable bot!). You can also put some checks in place using IP addresses and a frequency check. You shouldn't restrict any duplicates submissions from an IP address unconditionally as you can have many people behind the same IP address. But, it could be appropriate to block submissions from the same IP address after 20 submissions within an hour. Or something to that effect. You just need to be sure that the criteria you set would be outside the edge conditions for valid users.

[ttocskcaj]

Ok, Thanks guys. I understand that it's no different from a normal form now.

We'll probably implement captcha and some sort of frequency checks.