0

Here is my sample.html file located in http://www.aaa.com/sample.html

<html>
<script>
   $(document).ready(function(){
     $.post('http://www.aaa.com/api/_file.php?act=add', {val : '1234'});
   });
</script>
<body>

</body>
</html>

and this is my PHP file that recieve request from sample.html file

<?php
  switch($_GET['act']){
    case 'add' :
    doFunction();
    break;
  }

  function doFunction(){
    echo $_POST['val'];
  }

?>

if I have another html page like hack.html that located on another website, example http://www.bbb.com/hack.html

<html>
<body>
  <a href="http://www.aaa.com/api.php_file.php?act=add">Hack them!!!</a>
</body>
</html>

Can I use bbb.com website to access data in aaa.com by cliking some link? If yes, how do I protect it?

Any idea? or better way?

Reguard. (^^)

Improve this question
1
  • 2
    I don't understand. What are you trying to prevent, exactly? Commented Jan 24, 2011 at 16:14

1 Answer 1

Reset to default
4

There are two possible problems here.

  1. Cross site scripting (XSS)
  2. Cross site request forgery

Defend against the first by:

  • Not allowing HTML to be added to the site (for the user or any other user) by users. Run htmlspecialchars over all data before outputting it to the site. If you are setting attribute values instead of data that appears between tags, then you need to take additional steps (e.g. forbidding data: or javascript: scheme URIs).
  • Parsing all HTML input and running it through a white list before outputting it.

Defend against the second by:

  1. Starting a session, and storing a random value in the data when the user first visits a non-editing page. (You will probably want to generate a new token periodically).
  2. Including that value in any form you use that can make changes (or in the query string if you are using a link, but you shouldn't be, GET requests are supposed to be safe)
  3. Rejecting any request that doesn't have a value in the form data that matches the value in the session. (A third party site can't read it from the session so wouldn't know what value to use).
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.