0

I am trying to find a way to filter ajax calls in order to add a fine layer of security to my applications. Does the code bellow make any sense?

function is_ajax(){//Help Secure Ajax Calls
    if(isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH']=='XMLHttpRequest') return;
    else die;//no ajax
}

My dream is only let a file inside my server (htm or php) to access another php file via ajax.

I wonder if the code bellow would not do better:

if(strpos($_SERVER['REQUEST_URI'],'http://')) die;//Help Secure From URL Include Attacks

Thanks.

Improve this question

4 Answers 4

Reset to default
7

Since the AJAX call is always made from the browser, the request is not coming from your own server, but the client machine. Even if you set custom headers, these can easily be manipulated on the client side.

If your goal is to only allow your own scripts to access the script containing the ajax content, I'd recommend generating a token string that is only valid for a certain requested url and a specified time.

Quick and dirty example:

Script requesting the AJAX resource:

$secret ="ABC1232";

$item = array(
  "time"=>time(),
  "token_id"=>"<page_url>"
);

$signed = base64_encode(hash_hmac("sha256",json_encode($item),$secret));
$item = base64_encode(json_encode($item));

$ajax_url = "myscript.php?signed=$signed&item=$item";

AJAX Resource, check the token is valid

$item = json_decode(base64_decode($_REQUEST["item"]));

$timeout = 3600;

if($item->time < (time()-$timeout)){
  die("Invalid token - timeout");
}

if($item->token_id !== "<page_url>"){
  die("Invalid token - page url");
}

$secret ="ABC1232";
$valid = ($_REQUEST["signed"] === base64_encode(hash_hmac("sha256",json_encode($item),$secret));

if(!$valid){
  die("Invalid token");
}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

4

Your Ajax is as secure as your application layer. Ajax is just client side code accessing server side code. There is probably no way in securing it the way you want since anyone can emulate Ajax calls from within any language by just modifying the request headers. One more thing most ajaxified frameworks do include HTTP_X_REQUESTED_WITH but it's not 100% reliable.

Just secure your server code and your good to go. If you really want to at least let your server code know that it's receiving an ajax call, use a parameter on the request.

Improve this answer

Comments

1

Assume that anything that can be requested by AJAX will also be accessed directly and you will be in a much safer place. You really should consider why you would only ever want something to be accessed via AJAX in the first place. The HTTP_X_REQUESTED_WITH header is unreliable and easily spoofed so it provides no real security anyway.

Improve this answer

2 Comments

Sorry, I'm a bit confused... Can't I at least test if the request is coming from a file that it's in fact inside the server?
Requests don't come from files, they come from clients. Any URL referenced in a file could be referenced directly by the client. You probably need to look at security a different way, like authorize URL / request by user.
0

I think for a little more security you could decode your secret string after you encode it. then echo than decoded string in php and then copy it. then on the the $valid variable 

$valid = (base64_decode($_REQUEST["signed"]) === "blahblahblah that you copied from php");
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.