Ajax and filenames - Best practices

Question

I am using jQuery to call PHP files via the $.get method

function fetchDepartment(company_id)
{
    $.get("ajax/fetchDepartment.php?sec=departments&company_id="+company_id, function(data){
        $("#department_id").html(data);
    });
}

What I am thinking is can I secure the filename even further?

Currently I have a global access check within the .php file that check if the user is logged in, if he can access this data etc.

But I am wondering if there are further steps I can take so a user couldn't see this filename, or what other steps you recommend to take.

Answer 1

Pretty much the only way you can obscure the URL for a certain piece of information from the user is by not loading it in through http. Maybe you can load a set of data on the calling page, or another page with a more generic url.

Answer 2

Encoded requests
You could make the request details effectively invisible to the casual miscreant by encoding almost all of the URL and then decoding the request details server-side.

The request details would include the action you wish to perform plus the parameters relevant to that action.

All requests would be sent to a single URL, where a server-side process would decode the request details and perform the relevant action as required.

Example
Original URL:
/ajax/delete.php?parameter1=foo&parameter2=bar

Request details:
action=delete&parameter1=foo&parameter2=bar

Encoded request details (encoded using base64):
YWN0aW9uPWRlbGV0ZSZwYXJhbWV0ZXIxPWZvbyZwYXJhbWV0ZXIyPWJhcg==

Encoded URL:
/ajax/?request=YWN0aW9uPWRlbGV0ZSZwYXJhbWV0ZXIxPWZvbyZwYXJhbWV0ZXIyPWJhcg==

I don't believe there is native functionality to encode to base64 in JavaScript, but it's far from impossible to find a suitable method or to write your own.

With obfuscated/minified client-side JavaScript it would be quite tricky for someone to determine how to make a request 'by hand'.

Hide implementation details
There are a number of practices you can follow to make your application less susceptible to attack through URL misuse.

Let's start with a URL of: ajax/fetchDepartment.php?sec=departments&company_id=99

There's no need to reveal what server-side technology you're using (PHP) nor, through the query string (sec, company_id), what the query string values actually mean.

Masking the server-side technology
Assuming you have index.php defined as a default, the following URLs are equivalent:

• ajax/fetchDepartment.php?sec=departments&company_id=99
• ajax/fetchDepartment/index.php?sec=departments&company_id=99
• ajax/fetchDepartment/?sec=departments&company_id=99

The third URL does not reveal the server-side technology you're using. This limits the range of possible attacks. It also makes it easier for you to switch over to a different server-side technology without changing your URLs.

Hiding the meaning of request parameters

• ajax/fetchDepartment/?sec=departments&company_id=99
• ajax/99/departments/

The latter URL still conveys enough information to perform the request without revealing what the information means.

Whilst someone could still change the values, they won't know what they're changing. This will make it more difficult for an attacker to evaluate and understand the result of any URL changes they make.