CODEWITHSUNDEEP
ajaxsecurity
Parth Thakkar
Parth Thakkar

Reputation: 5475

Ajax, PHP and Security?

My question is that suppose, in my web app, I use ajax to call upon methods on the server side, isn't it creating a security hole in the app? Like, say I have an option for the user to deactivate the account, which can be done by clicking a button. This is done via Ajax.

So, can't a hacker send a request to the server to deactivate the account instead of the user? HELP!!!

Upvotes: 2

Views: 248

Answers (3)

Quentin
Quentin

Reputation: 944255

My question is that suppose, in my web app, I use ajax to call upon methods on the server side, isn't it creating a security hole in the app?

From a security perspective, there is no difference between an HTTP request that involves JavaScript and one which doesn't (e.g. that uses a regular form, or is handcrafted).

… but you can't call methods from the client, you can only make requests to URIs. The server might cause a method to be called based on receiving a request to a specific URI.

So, can't a hacker send a request to the server to deactivate the account instead of the user?

They could, which is why you need (trustworthy) authentication / authorisation and CSRF protection (just like you would for a request to disable an account that didn't involve Ajax).

Upvotes: 1

Callum Jones
Callum Jones

Reputation: 595

This Ruby on Rails security guide has a great explanation on how to deal with AJAX requests that could be potentially exploited. It's not specific to RoR so the concepts can apply to any platform.

One way to reduce the risk of cross site requests is to use POST for actions that modify or delete data.

Upvotes: 0

Uku Loskit
Uku Loskit

Reputation: 42040

This is not a problem with AJAX alone, but with any arbitrary HTTP request that wants to authenticate/maintain a session. The user needs to be authenticated in some way in order to make requests, this is usually done with cookies. Using AJAX does not make the matter any worse though because it is still a HTTP request.

Authentication alone is not enough though, someone could always be listening on the wire and capture the authentication cookie, and thus get hold of the session - "become you". The only solution here is to encrypt the connection on a lower OSI layer level (using SSL/TLS). This is why you should always use SSL when it comes to authentication.

Upvotes: 0

Related Questions