Disabling remote calls to my Ajax jQuery script

Bred · March 14, 2011, 11:57am

Hi,

I’m actually not sure if this isn’t possible to begin with, but thought I should ask as it’s better safe than sorry.

On a number of my pages, I use jQuery.ajax() using the json data type. For example:

$("#button").click(function() {
   
        var data = {
           // fill data fields in here
        };        
        $.ajax({
            type: 'post',
            url: '/ajax/public/basket',
            dataType: 'json',
            data: data,
            error: function( response , error ){},
            success: function( response ){ 
                // put code here     
            }                       
        });					
        return false;      

    });

Would it be possible for people to execute this script from their own server? If yes, is there any preventative measures I can take to block any remote execution of the script? And, are there any other safety concerns I need to be aware of?

Many thanks.

whisher · March 14, 2011, 1:18pm

Hi,
Yes it is.
It’s called CSRF attack.
Take a look to Chris Shiflett Cross-Site Request Forgeries
you can also check server side if it’s a xhr request.

Bye

Bred · March 14, 2011, 2:51pm

Correct me if I’m wrong (and I probably am here!), but wouldn’t it be a XHR request regardless of whether or not the file that triggered the ajax call was located on my server or remotely?

whisher · March 14, 2011, 6:59pm

I can do a request to your action /ajax/public/basket
simply put that action in a form or by curl.
But if you have in server side code a thing like
this


if( $request->isPost() && $request->isXmlHttpRequest()){
   // check the token
   //your code here and you must validate the data
}

that’s can help