Reputation: 15
Protect direct access of AJAX based URL
We have a page where User can come and create his ID. So any unauthorized user can come and create his ID.
Problem is this page is having some AJAX calls for validation which checks if ID format which user is entering on screen is correct or not.
An attacker can note down the AJAX based URL through Browser-> Inspect Element and can choke our server calling it multiple times through some attacking tools.
Please note AJAX based URL is hitting to a web service which in my opinion is doing resource intensive operation(i.e domain is correct or not, user already exist or not?).
I am using Spring MVC as web application framework. Can I protect direct access of URL (ajax) for an unauthorized user?
Upvotes: 1
Views: 350
Answers (2)
Reputation: 1
I have a similar requirement, of protecting my Ajax Resources - Not to be called from the Browser Addressbar, but via a AJAX request, basically a XMLHTTPRequest.
Wrote a AjaxOnlyFilter which looks for the URL Mappings in a array of Strings, and if matches, checks presence of the "X-Requested-With" header.
If header not present OR value not matching to value "XMLHttpRequest", then invoke forward on requestDispatcher to error page or set 400 status.
private String[] mappings = { "/model", "/records" , "/update" , "/insert", "/delete"};
public boolean urlContainsMappingsFromAJAXList(String url)
{
for(int i =0; i < mappings.length; i++)
{
if(url.contains(mappings[i]))
{
return true;
}
}
return false;
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
StringBuffer requestURL = httpServletRequest.getRequestURL();
if(urlContainsMappingsFromAJAXList(requestURL.toString())){
String requestedWithHeader = httpServletRequest.getHeader("X-Requested-With");
//if X-Requested-With header is not XMLHttpRequest
if(requestedWithHeader==null || (!requestedWithHeader.equalsIgnoreCase("xmlhttprequest"))){
LOGGER.debug("Not a AJAX request, redirection to error page");
httpServletRequest.getRequestDispatcher("error404.jsp").forward(request, response);
return;
}
//else continue with filter chain
}
//else continue with filter chain
// pass the request along the filter chain
filterChain.doFilter(request, response);
}
Upvotes: 0
Reputation: 5171
You can't hide the URL of the web-service if it's being requested by AJAX (XmlHTTPrequest).
You'd be best to implement server-side "throttling" (google it!) on the webserver that serves your web-service. If a particular IP makes too many requests, or some overall threshhold of requests is passed -- you return a web-service exception that asks the user to try again later.
In the case of a DDOS, then you'll need to deal with that at the network routing level.
Upvotes: 1
Related Questions
- Spring security with Ajax
- Spring Security disable security for requests made FROM a certain url
- Spring prevent ajax call from being target url on authentication
- Restrict URL tampering in Spring Framework 3.1
- Prevent Http access to api
- ajax in spring security
- spring - how to deny the direct access to servlet mapping(POST method used) from the url
- Spring prevent user from accessing url through browser and ajax
- use spring security to tell ajax requests where the login page is
- How to protect outside access?