PDA

View Full Version : Securing Ajax.php script

funnymoney
08-25-2009, 11:16 AM
I started using some simple Ajax on my website, and first thing that i saw is that you can see ajax.php file that was called by ajax function. I'm trying to secure it so if someone tries to access it directly he get's redirected to home page..

I saw that you can set a the named request header from ajax and use it on requested page. Is that enough

function ajaxFunction()
{

var xmlhttp;
if (window.XMLHttpRequest)
{
// code for IE7+, Firefox, Chrome, Opera, Safari
xmlhttp=new XMLHttpRequest();
}
else if (window.ActiveXObject)
{
// code for IE6, IE5
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
}
else
{
alert("Your browser does not support XMLHTTP!");
}

xmlhttp.onreadystatechange=function()
{
if(xmlhttp.readyState==4)
{

document.getElementById("ajaxtest").innerHTML = xmlhttp.responseText;

}
}
xmlhttp.open("GET","ajax/msg.php",true);
xmlhttp.setRequestHeader("X_SECURE", "secure");
xmlhttp.send(null);

}

msg.php

<?php
if (empty($_SERVER['HTTP_X_SECURE']) && $_SERVER['HTTP_X_SECURE'] != "secure") {
header("Location: ../");
}
else {
print "Running ajax";
}
?>

But, what if someone sends that header with curl or something similar, is it possible to "break" this script, and how to make it more secure?
ckeyrouz
08-25-2009, 04:46 PM
Authentication:
username and password

Check in the session if the user is authenticated or not and then if he is not authenticated redirect him to home page.
funnymoney
08-25-2009, 09:16 PM
Authentication:
username and password.

well, any concrete ideas?
ohgod
08-26-2009, 03:18 PM
you can also check the referring url and make sure it's what you think it should be.

but, with as simple of a tool as "tamper data" for firefox a lot of information can be faked. make sure to really sanitize the input more than anything.

one thing i've heard of people doing is as php is building your form have it set a session var to a randomly generated string and make the hash of that session var a hidden input. when you get to the processing page it would hash that session var again and see if they match.

even at that plain old session handling like ckeyrouz said is really the first step.
A1ien51
08-27-2009, 07:41 PM
How would you handle securing any other page? Username and password with session. You are not going to be able to find a URL from anyone.

Eric