Reputation: 12376
Server methods are exposed inside AJAX: Is it secure
When we call a server method with AJAX we have to specify its name and parameters. Is it OK security-wise? Aren't there any concerns about this?
Upvotes: 2
Views: 73
Answers (1)
Reputation: 50368
There is, indeed, a security issue here: namely that any method that you can call with AJAX can also be called by an attacker with any arguments they want. Thus, you need to make sure that any methods thus exposed are harmless even if called maliciously.
If you do need to expose methods that do something potentially harmful via AJAX, you need to ensure that these methods will only perform their intended actions if the user is properly authenticated, and that the scope of the actions is limited to what the user is authorized to do. The authentication information should be transmitted in some manner that makes it hard for an attacker to intercept it, such as in an HttpOnly cookie.
Also, such methods should be protected against CSRF attacks, by which an attacker could trick an authenticated user into calling a method they did not intend to. The standard solution is to pass a secondary authentication token as a parameter to the method, and only allow access if both the token and the cookie match.
The short version is: anything that's exposed via AJAX is, well, exposed. Treat it as part of the attack surface.
Upvotes: 2
Related Questions
- Security risk in using jQuery Ajax
- Securing a remote ajax method call
- Ajax Security and code-behind functions
- Implementing Security for Ajax calls
- Making AJAX calls secure
- Does AJAX have any special security concerns?
- Security Questions on jQuery Ajax method
- How to "Secure" AJAX calls?
- Securing AJAX requests
- Security of AJAX requests