ansaurus

Question

Answer 1

+4 A:

Perhaps you should check to see, on a delete ajax request, whether the user doing the deletion is permitted to delete the item.

Greg Hewgill 2009-11-24 00:06:10

Answer 2

+6 A:

I think you are confusing Javascript functionality with security. If your user is not allowed to delete AuntMarysShoppingList#32, then the server shouldn't let him no matter what the client requests.

You can obfuscate your JS code, but on some level, you have to assume your user is an honest broker, and isn't going to go out of their way to delete something (the hard way, by hacking JS) that they have the rights to delete anyway.

Josh Pearce 2009-11-24 00:07:00

Answer 3

+5 A:

You need to add Authorization checking on the server side. Whether the request is ajax or otherwise is irrelevant.

Andy Gaskell 2009-11-24 00:10:12

Answer 4

+6 A:

The main principle is "never trust incoming data". Any data you get sent from outside can be manipulated - Parameters, Headers, Referers, everything. A good and safe system does not trust any of these.

If you have multiple users working on the same data base, you will probably need to implement an authorization system that defines clearly who is allowed to do what to which record.

That is usually done using a session-based login system of some sort, based on one of the scripting languages like PHP, Ruby, ASP or Perl. There are pre-built solutions available.

Pekka 2009-11-24 00:17:15

Actually i was thinking that user can't change the id of the elements so i made the functions like that But now i have realised that data can be changed so firstly i will authorize the delete functions and then i will move towards other functions

Mirage 2009-11-24 01:18:03

ONe more questions is it possible to edit the data being Posted , i mean stop the request and then chnage the data midway and then post

Mirage 2009-11-24 01:20:27

I'm not sure what you mean but in general, when the data has arrived in your script (where you fetch it using $_GET[xyz] in PHP for example), from that point it can *not* be changed anymore.

Pekka 2009-11-24 01:29:49

I mean to say , when you click button then data is posted and firebug console shows which variables are you posting , then there is it possible by any method that you edit the posted variables and then submit the form to scripti mean to intercept the data before submitting to php script

Mirage 2009-11-24 01:33:33

I suppose in theory, it would be possible to intercept and alter the data at any point it goes through: Your computer, your router, and the various points along the route to the server. "Man in the middle" attacks impersonating a start or end point are of that category. But I don't think that should be of concern right now. What counts right now is securing the server side.

Pekka 2009-11-24 01:48:59

I think you are right , I am now encoding the userid and sending it with every post and then on server side i can match that

Mirage 2009-11-24 02:55:46

That doesn't sound safe to me yet. Does the user have to log in? Does he get a unique session ID when logging in?

Pekka 2009-11-24 14:52:29

Answer 5

+1 A:

You basically need something like this on the server-side:

if (itemBelongsToUser(itemId, currentUserId)) {
    deleteItem(itemId);
}

David Thibault 2009-11-24 00:22:16

ansaurus

tags:

views:

answers:

hack proof html coding with ajax

related questions