Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    New to the CF scene
    Join Date
    Jun 2013
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    How to ensure javascript calls aren't spoofed?

    Hi,

    I have a web service that must service JQuery ajax clients. The physical JavaScript files that communicates with my web service is created and hosted by me. So the scenario is much like some embedded Google script or similar that many websites use.

    My trouble is: How can i ensure that the client request comes from a valid customer. I can't rely on stuff that can be spoofed (e.g. http-referer).

    Thanks

    --
    Werner

  • #2
    Senior Coder rnd me's Avatar
    Join Date
    Jun 2007
    Location
    Urbana
    Posts
    4,184
    Thanks
    10
    Thanked 569 Times in 550 Posts
    you can add code inside the JS file to check window.location.href for a white-listed domain, but honestly, i wouldn't worry about it unless your server is getting overloaded. The harder you make it to steal, the lower the overall quality for your real customers. If you have to check 300 domains each time, the script will load slow and nobody will want to use it...
    my site (updated 13/9/26)
    BROWSER STATS [% share] (2014/1/19) IE7:0.2, IE8:6.7, IE11:7.4, IE9:3.8, IE10:4.4, FF:18.3, CH:43.6, SF:7.8, MOBILE:27.5

  • #3
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,020
    Thanks
    75
    Thanked 4,323 Times in 4,289 Posts
    Ummm...300 domains is nothing. We check OVER 8 MILLION domains on each page hit. And thanks to good old MySQL it takes so little time nobody is ever aware we did it.

    And if you checked 300 ip addresses in JS code, even that would take ZERO time.

    Just build you list of IP addresses thus:
    Code:
    var okayIPs  = {
        '123.67.88.101' : 'Adam Adams',
        '47.11.191.2'  : 'Ben Bova',
        ...
    };
    And then you can do:
    Code:
        var user = okayIPs[ currentIpAddress ];
        if ( user == null )
        {
             location.href = "http://www.google.com";
        }
        alert( "Welcome, " + user ); //okay, you shouldn't use an alert
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #4
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,020
    Thanks
    75
    Thanked 4,323 Times in 4,289 Posts
    But in any case, such anti-spoofing measures are better handled with server-side code. There's almost always a way to get around client-side protections.

    And it sounds to me like that's exactly what you will do here: You don't really care about whether the AJAX request is spoofed so long as the server responding to it can validate that the request is coming from a legitimate IP address. No?
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #5
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,455
    Thanks
    0
    Thanked 632 Times in 622 Posts
    If you do check it in JavaScript then anyone who that code would block would simply override that code so it doesn't block them.

    The browser owner has full control of the JavaScript that runs in their browser.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • #6
    New to the CF scene
    Join Date
    Jun 2013
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks all,

    But as this thread suggests, relying on window.location is probably not what the big boys do it (Google, Amazon etc).

    And in any case, as 'Old Pedant' pointed out, the logic is probably better done server-side.

    So in my mind I'm thinking of a token-system where part of the token is a secret key to avoid man-in-the-middle attacks. My trouble is then, how would a JS script store that key? I mean, it would have to be in the script itself right?

  • #7
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,020
    Thanks
    75
    Thanked 4,323 Times in 4,289 Posts
    You know, even Google isn't quite *that* paranoid. For example, if you request a key for the google maps api, then you can just plop that key into your URL that requests a map service. Google matches that key with your URL and allows/disallows it.

    If somebody grabs your key *AND* manages to spoof your URL, then I think google will just not care.

    At some point, you have to decide if the protection measures cause more problems than they are worth.

    But I could certainly imagine that you could use an integrated client/server solution.

    Say that you require your use to have their server make a request to your site, asking for a temporary key. Their site *AND* its IP address must be registered with you. When they ask for the temporary key, the must (a) make the request from the registered IP address, (b} tell you the URL they will be making the AJAX request from.

    So you give them back this temporary key. Say it is only good for NN minutes (you choose NN). They incorporate it into their AJAX request. Your code looks for that key and also looks for the HTTP_REFERER to match the web page they specified when they asked for the key. If all is okay, you deliver the AJAX content.

    This is not perfect, but for you to be spoofed, the spoofer would have to do so within those same NN minutes that the key is good for and spoof the HTTP_REFERER to match the web page.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •