...

View Full Version : Ajax security issues



auriaks
04-03-2013, 04:14 PM
Hi,

I have a few Ajax engines working on my website, but I am quite new in security risks it might bring...

Lets say I have page1.php from which my ajaxEngine.php is called...

in page1.php I have:


function myFirstAction(value)
{
if (window.XMLHttpRequest)
{// code for IE7+, Firefox, Chrome, Opera, Safari
xmlhttp=new XMLHttpRequest();
}
else
{// code for IE6, IE5
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
}
xmlhttp.open("GET","/content/ajaxEngine.php?value="+value,false);
xmlhttp.send(null);
document.getElementById('myResponse').innerHTML=xmlhttp.responseText;

}


and in my ajaxEngine.php I am checking if variable value isset() and if it is something I am looking for to work with.

BUT.

If you enter browser dev tools, you can see what I am sending to my ajaxEngine.php

In this case I assume that this request can be made by hacker with some other harmful script included.

How secure is to use this way??

All opinions are welcome.

Kind regards,
Auriaks

rnd me
04-03-2013, 06:16 PM
If you enter browser dev tools, you can see what I am sending to my ajaxEngine.php

In this case I assume that this request can be made by hacker with some other harmful script included.

How secure is to use this way??


the php should only do what you allow it to, no matter what the input.

ajax alone doesn't really provide any more or any less security than using forms alone

anytime you accept input in a back-end, you much validate the data and perhaps the requester to maintain legitimacy.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum