CODEWITHSUNDEEP
jqueryajax
Sawyer
Sawyer

Reputation: 15927

ajax security?

When I look back my codes that written earlier time, I found something terribly bad. Whenever I want to delete a record in the database, I did like this :

$.post("deleteAction.do",{recordId:10});

I cannot prevent a malicious user visit my database operation url directly :

deleteAction.do?recordId=10

What's the solution for this kind of problem ?

Upvotes: 2

Views: 215

Answers (4)

Joop
Joop

Reputation: 2839

It really depends on your data and the checks you do on the server side. For example. If you check if the user is allowed to perform the delete action on that record, it isn't such a big problem. If you don't, it means the user can delete the data of other users too. My suggestion would be:

  1. Add extra checks on the server side to prevent users from deleting other data then their own.
  2. In stead of using integers you can also use something like guids, or another identifier that is hard to alter (read: unpredictable). This prevents "smartheads" from trying to break down your application.

Upvotes: 3

Quentin
Quentin

Reputation: 944216

It doesn't matter if you involve Ajax or not. If a URI does something sensitive on the server or exposes sensitive data, then you need to protect it. Usually with some form of authentication + authorisation. A cookie based technique is normal for this. The specifics of implementing it depend on the design of your backend system.

As an aside, you shouldn't allow GET requests for non-safe actions. Since your request is a POST, but you use a GET example of the problem, this suggests you just need to add a "Is this a POST request?" check to the server side script. Note that this won't be enough protection in itself, a malicious user can make arbitrary POST requests almost as easily as arbitrary GET requests. (Which brings us back to Authen/Authz)

Upvotes: 2

Darin Dimitrov
Darin Dimitrov

Reputation: 1039378

The only way to prevent this is to use authentication on your site and allow only some users to perform those operations. Any public action would be accessible by any malicious user.

Upvotes: 1

cHao
cHao

Reputation: 86565

Your server-side code should check the currently logged-in user and make sure they have permission to delete stuff. That'll prevent malicious action by strangers, but will require adding some authorization/permission stuff to your web app.

Upvotes: 1

Related Questions