views:

98

answers:

3

All,

I have a PHP website written in Zend Framework and MVC. Most of the controller actions check if the request is an Ajax request or not, else they redirect the user to home page. I am thinking about various ways to break that site. I am considering the following scenario:

  1. A user creates his own PHP project on his Local machine.
  2. User writes a JQuery ajax post request to one of the controllers on my site and tries to post malicious info. Ex:

    $.ajax({
        type: 'POST',
        url: "https://marketsite/getinfo/getstuff",
        cache: false,
        dataType: "html",
        success: function(html_response){
            alert(html_response);
        },
        error: function(xhr,ajaxOptions,errorThrown){
            alert(errorThrown);
        }
    });
    

My Question is does "url" attribute in the ajax request above take absolute path? I know it takes relative path. Also, is it possible to break any site by sending such requests?

Thanks

+1  A: 

Unless your clients modify their browser security settings, AJAX requests are limited to relative paths of their originating websites. Of course, a hacker can alter the Javascript to point to any URL he wants.

mcandre
+5  A: 

My Question is does "url" attribute in the ajax request above take absolute path?

The Same Origin Policy prevents JavaScript from making a request and reading the response unless it is to the same host, port and protocol.

That doesn't stop an attacker from making any HTTP request they like (it is trivial to construct one manually that looks the same as one made via JS) and it doesn't stop an attacker from tricking a user into making any request the attacker likes (it does stop the attacker getting the response to that request though).

There is no need for the attacker to involve PHP or any other server side language to do any of this.

Also, is it possible to break any site by sending such requests?

That depends on how the site is written. You should apply the same security checks on URIs designed for access via JavaScript as those designed for access with a direct request from the browser.

David Dorward
Vincent
I am not sure if I am protected from an attacker's attack.. Are there any resources for further reading on this?
Vincent
You need to guard against someone who is just making arbitrary requests to your AJAX handler. One way is to set a cookie to a random value. Hash that cookie value and append it to your AJAX request: "https://marketsite/getinfo/getstuff?verifier=[hashed_value]". The AJAX request will send both the cookie and the hashed value, and you could verify the request is genuine.
dana
A: 

Hi! ,

David's answer was very helpful and i need to mention couple of information 1-Zend framework has function to detect ajax request check this Detecting AJAX Requests

2-there is an opensource project out there (PHP IDS) , its very handy , it allow you to :

Currently the PHPIDS detects all sorts of XSS, SQL Injection, header injection, directory traversal, RFE/LFI, DoS and LDAP attacks. Through special conversion algorithms the PHPIDS is even able to detect heavily obfuscated attacks – this covers several charsets like UTF-7, entities of all forms – such as JavaScript Unicode, decimal- and hex-entities as well as comment obfuscation, obfuscation through concatenation, shell code and many other variants.

Hopefully i helped you :)

tawfekov