tags:

views:

186

answers:

2
+3  Q: 

POST method, Ajax and Security?

I use Ajax (jQuery) and the POST method to update data in the database. I do the following:

  • Get data from the form: user_id, entry_id, content,...
  • Send them to a URL which will process the data.
  • If the data is valid, we will record them in our database.

I do not know how to verify that the user sends data from my website and not from other places. Please help me solve this problem. Thanks !

+5  A: 

You're trying to defend against CSRF attacks.

The standard defense is to have a require a token in the POST that is retrieved from a different AJAX request. Because of the browser's cross-domain defenses, Javascript that is outside of your domain will not be able to get a token.

SLaks  2009-12-20 15:39:53
they could run bot to get the token. so the best way I think is to include cookie also, beside, if you don't want the attack, go for a captcha.
DucDigital  2010-02-06 15:08:06
@DucDigital: What are you talking about?
SLaks  2010-02-07 00:11:02
+1  A: 

There are several issues here:

  1. Authentication and authorisation of the user who is doing the operation
  2. Protection against CSRF.

Decide which you need to do. The first should be able to be handled by cookies, HTTP authentication (which the browser sends for AJAX requests too) or some custom method (e.g. an extra parameter containing authentication)

CSRF is a different matter, but you can quite easily avoid it by ensuring that the request really came in via AJAX, not via a normal form-post. This should be achievable by tacking on an extra header which someone cannot add by making a HTTP form (NB: Not all headers can be added by Javascript, try using an X-Header).

Another possibility is to not use a form-encoded post in the first place; if you expect a JSON object in the body, that cannot come from another site, as browsers will not send it via a HTTP POST normally.

MarkR  2009-12-20 15:46:57
+1 for your opening, -1 for your last two paragraphs: You need to defend against attacks that are HTTP-based, but not necessarily browser-based. We can't assume any theoretical attackers will be using just a browser. Link spammers are 'way more advanced than that, as one example.
T.J. Crowder  2009-12-20 15:56:01
Cross-site request forgery is where your legitimate users are tricked into using their own browser (with its authentication and cookies) into making unintended requests. Using a non-form based POST or custom headers avoids this specific attack.
MarkR  2009-12-20 22:01:26

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security