All,
I have a PHP website written in Zend Framework and MVC. Most of the controller actions check if the request is an Ajax request or not, else they redirect the user to home page. I am thinking about various ways to break that site. I am considering the following scenario:
- A user creates his own PHP project on his Local machine.
User writes a JQuery ajax post request to one of the controllers on my site and tries to post malicious info. Ex:
$.ajax({ type: 'POST', url: "https://marketsite/getinfo/getstuff", cache: false, dataType: "html", success: function(html_response){ alert(html_response); }, error: function(xhr,ajaxOptions,errorThrown){ alert(errorThrown); } });
My Question is does "url" attribute in the ajax request above take absolute path? I know it takes relative path. Also, is it possible to break any site by sending such requests?
Thanks