17

What happens if a user looks at my JavaScript file, copies the content of a function and sends a request to my server using AJAX? And is there a way to properly protect against this from happening?

Improve this question

3 Answers 3

Reset to default
15

The way to protected against this is no different to the way you protected against any web request. You make it so that your site requires some form of authentication (i.e. users have to log in) and don't do thing if the request is not properly authenticated.

Typically, when you make an AJAX request, cookies are also sent along with the request so you should just be able to use the same authentication method that you use for your regular requests with your AJAX requests.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Ahh makes sense. I just didn't know whether browsers had some sort of cross domain protection of some sort. Thanks bud.
the browser wont allow xmlhttprequest from another server/domain. However if you are allowing json-p requests, it could happen, also someone could spoof the browser, treat requests for ajax like any other, as mentioned.
9

As per codeka, there is no way to prevent someone from crafting their own Ajax query that is identical to the one you have in your Javascript request. Cross-domain protection will not necessarily protect you there, as they can, if they wished, just type the Javascript into the address bar for themselves while on a page on your site.

The only protection you have is to validate the input and parameters provided through the Ajax query on the server-side. Limit each PHP or Python or whatever response script to a very specific task, and check the input on the server-side. If something's wrong, respond with an error.

In short, there is no way to prevent someone from sending the request, but you can prevent them from doing something you don't want them to do on your server.

Improve this answer

1 Comment

Does this mean one could never create a secure and generalized CRUD architecture using AJAX?
0

Assuming that you need some form of authentication:

I guess you can maintain database session to validate if the request is coming from a genuine user for forged. Use encrypted cookies to store the session ID, and refer the cookie session ID to the database to validate the user

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.