SitePoint Sponsor

User Tag List

Results 1 to 12 of 12

Hybrid View

  1. #1
    I'm not a human
    Join Date
    Aug 2006
    Location
    India
    Posts
    281
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    how to stop accessing javascript function from the location?

    hi

    i'm having a site and in that site a page contains AJAX code.
    A javascript function has a HTTP request to another page with some arguments in the url, the server page gets the values from the url and insert them to the database.

    Someone had looked at my code and then hacked that to enter wrong values into the database.

    he directly called the javascript function from the location bar itself.

    How should i prevent this??
    Regards,
    Vijay
    Follow me on twitter @vijaycbe
    World Holiday Calander || My Cricket Blog

  2. #2
    SitePoint Wizard
    Join Date
    Mar 2001
    Posts
    3,537
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    he directly called the javascript function from the location bar itself.

    How should i prevent this??
    You can't.

  3. #3
    SitePoint Author silver trophybronze trophy

    Join Date
    Nov 2004
    Location
    Ankh-Morpork
    Posts
    12,158
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You can't, but it sounds as if you are abusing the HTTP protocol. Requests via GET must be idempotent, i.e., they may not have side effects (like changing a database).

    If you want to update a database through Ajax calls, make sure to use POST requests. Those cannot be replicated via the browser's location bar, although they can be faked by malicious external scripts. You'll still need other safety mechanisms in place.
    Birnam wood is come to Dunsinane

  4. #4
    SitePoint Wizard
    Join Date
    Mar 2001
    Posts
    3,537
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by AutisticCuckoo View Post
    You can't, but it sounds as if you are abusing the HTTP protocol. Requests via GET must be idempotent, i.e., they may not have side effects (like changing a database).

    If you want to update a database through Ajax calls, make sure to use POST requests. Those cannot be replicated via the browser's location bar, although they can be faked by malicious external scripts. You'll still need other safety mechanisms in place.
    Code:
    function sendXhrRequest(valToBePosted)
    {
    	alert(valToBePosted);
    	//post data to server using xhr request
    }
    javascript:sendXhrRequest("maliciousData")

  5. #5
    SitePoint Author silver trophybronze trophy

    Join Date
    Nov 2004
    Location
    Ankh-Morpork
    Posts
    12,158
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I know what you're saying, but as I said earlier:
    Quote Originally Posted by AutisticCuckoo View Post
    You'll still need other safety mechanisms in place.
    Using GET requests to modify information is bad and breaks the HTTP protocol.
    HTML Code:
    <a href="http://example.com/ebank/withdraw?account=12345&amp;amount=5000">Click here!</a>
    Code like this is not a great idea, because anyone could enter that type of URI in their address bar.

    You should use a POST request (over a secure connection, if the data is sensitive) instead. Naturally, you must make sure that there is no equally simple way to access this, like the all-in-one JavaScript function you posted.

    The function that sends the XMLHttpRequest should retrieve the information from the form fields in the page.

    However, since the JavaScript code and the markup are visible to the public, you need additional security measures. The POST request can still be emulated (but not from the address bar), so you have to ascertain the validity using other means, like one-time server-generated tokens.
    Birnam wood is come to Dunsinane

  6. #6
    I'm not a human
    Join Date
    Aug 2006
    Location
    India
    Posts
    281
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    hi friends,

    i've went little off, and i'm back here.

    I think my info is not enough and i'll try to explain it little bit clear..

    I'm having a page in which on completion of come event a javascript function is called which in turn sends request to a php page ..

    function xzx()
    {
    here i'm calling a php page using http request..
    httpa = createRequestObject();
    moves=movesa;
    times=timesa;
    var str="../ajax1.php?level="+level+"&moves="+movesa+"&time="+timesa;
    httpa.open('get', str,true);
    httpa.onreadystatechange = handleResponse;
    }

    the ajax page has a form which get the name and country thru input boxes and these all details are inserted into the database.. this is for inserting the highscore...

    here the hacker called this scubscore function directly from the address bar after visiting the homepage which contains this javascript function ...
    Quote Originally Posted by webaddictz View Post
    Plus, obviously, if he can get malicious code into your database, you're not checking your input enough.

    i'm checking the input before inserting but the data are valid data that's why they get inserted into the database..

    what should i do here??
    Regards,
    Vijay
    Follow me on twitter @vijaycbe
    World Holiday Calander || My Cricket Blog

  7. #7
    SitePoint Addict webaddictz's Avatar
    Join Date
    Feb 2006
    Location
    Netherlands
    Posts
    295
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Plus, obviously, if he can get malicious code into your database, you're not checking your input enough.

  8. #8
    SitePoint Member
    Join Date
    Mar 2006
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    yes, I also agree that this is a http://en.wikipedia.org/wiki/Cross_site_scripting attack. One of the weaknesses of PHP is too easy and people start writing scripts with a help of a single article and security related issues are about to arrise.

  9. #9
    SitePoint Guru SSJ's Avatar
    Join Date
    Jan 2007
    Posts
    830
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You can use Server-Side Ajax code to prevent this

  10. #10
    SitePoint Author silver trophybronze trophy

    Join Date
    Nov 2004
    Location
    Ankh-Morpork
    Posts
    12,158
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That's not sending a POST request via the address bar, that's exploiting a security hole in the page's JavaScript.
    Birnam wood is come to Dunsinane

  11. #11
    SitePoint Wizard
    Join Date
    Mar 2001
    Posts
    3,537
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by AutisticCuckoo View Post
    That's not sending a POST request via the address bar, that's exploiting a security hole in the page's JavaScript.
    Quote Originally Posted by kvijayhari
    he directly called the javascript function from the location bar itself.

  12. #12
    SitePoint Author silver trophybronze trophy

    Join Date
    Nov 2004
    Location
    Ankh-Morpork
    Posts
    12,158
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    As I said, you mustn't use a GET request to update your database. Instead, your Ajax call should use a POST request (with the parameters in the HTTP body instead of in the URI).

    As long as you call 'ajax1.php' with a GET request, anyone can check your JavaScript code to find the URI and call it with whatever parameter values they like.
    Birnam wood is come to Dunsinane


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •