tags:

views:

145

answers:

4
+5  Q: 

Security of AJAX requests

Just now i'm writing a project, and i desided to write it with jquery and ajax requests.

only thing, i don't know, is it secure enough?

for example, when i verify the username, when registering new user, i use jquery ajax request,

i get the array of existing usernames from db(with json), and then verify, if new_username not inArray() of existing usernames, i make another request, and register the user.

but what about security? meybe hacker can find the way to change some of my if-else statements, and whole my securite will brake.

maybe you'll help me to understand this situation?

Thanks

+6  A: 

Why are you implementing any of that client-side?

You should send the username/password over HTTPS in an AJAX query and have the server respond with only the data required for the user to move on, not the whole username list.

Even putting security aside, what if you have millions of users? You're going to send that list to all clients for them to log in?

Ben S  2010-06-22 16:43:18
Even when using HTTPS I wouldn't send that whole list to the user; if visitors can view that list (using whatever tool) they can see who registered on your site. Moreover, don't solely rely on client-side validation; it's easy to bypass JavaScript.
Marcel Korpel  2010-06-22 16:47:22
@Ben S it's just example, i just try to understund the working of jquery from security point of view(sorry for english language mistakes:)
Syom  2010-06-22 16:47:52
Just keep in mind that anything you do on the client can be modified and viewed by the user. Any time you need to perform a secure operation, you need to have the server verify.
Ben S  2010-06-22 16:53:48
+12  A: 

(In the following I assume, that the username is the ID with which a user can log in, not some kind of nickname ;))

  1. Getting all the usernames as JSON is bad. Then an attacker gets all registered usernames immediately!
    Just send the username to the server, validate it there and send either "valid" or "invalid" as response. I.e., check the availability on the server side.

  2. Always validate the user input on the server side. JavaScript can be disabled.

Update:

It does not matter whether jQuery is involved or not. Everything that you send to client (and is not hashed or encrypted) can be read by the client, it doesn't matter whether it is an XMLHttpRequest or a "normal" request.

Would you send a HTML table with all the usernames to any visitor of your site? I hope not :)

Summary:

  • Only send data, that the client is allowed to have access to.
  • Validate user input on the server side.
  • Never trust user input.
Felix Kling  2010-06-22 16:45:14
+1 for the HTML table! :D
Marcel Korpel  2010-06-22 16:51:43
no, i send it as a list, not table :D
Syom  2010-06-22 16:53:37
BTW, I know a lot of sites that send all usernames to the visitor; it's called a ‘member list’ on many forums. [Even SO does](http://stackoverflow.com/users) ;-)
Marcel Korpel  2010-06-22 16:55:41
@Syom - lol, at least you are semantically correct :)
Anurag  2010-06-22 20:43:19
+2  A: 

Security is one of those things that is best done server side if possible. My typical approach to AJAX login is to send the username and an MD5 or SHA1 hashed password to a method on the server which will then take care of all of the login details. The details of that implementation will really depend on your server-side technology, but most web application frameworks have facilities in place to do that. There may even be some solutions which include Javascript libraries to handle the client side work as well.

ckramer  2010-06-22 16:46:22
+5  A: 

Ajax is not a replacement for server side code. While it is possible to implement log in and registration functionality using ajax, you will still need to validate and store data on the server.

A more sane implementation would simply send an https request to the server containing the username and password to which the server would respond with a yay or nay.

Nick  2010-06-22 16:47:40
Ajax is not a replacement for server side code <<< THIS!!!
 2010-06-23 15:51:56

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security