Is your AJAX app secure enough?
April 7, 2006
There’s no doubt that AJAX is useful when it comes to streamlining and speeding things up — but is it always secure?
A blogger at Darknet recently posed a very good question: “Will the average AJAX-enabled web-application be able to tell the difference between a real and a faked XmlHttpRequest?” Specifically, it comes down to a question of proper authentication.
Among other things, here are some tips gleaned from the post:
- Using GET is a major mistake, as GET requests easy to fake. “POST is a lot better, as it harder to fake.”
- Using only cookies is a bad idea. “If the XmlHttp-interface is merely protected by cookies, exploiting … is all the easier: the moment you get the browser to make a request to that website, your browser is happily sending any cookies along with it.”
- Using some sort of random sequence numbering method is a good way to secure things. “The servers’ ‘challenge-string‘ should be as random as possible in order to make it non-predictable: if one could guess what the next sequence number will be, it is again wide open for abuse.”
But you cant fake a Get request when its done by javascript, this has all been said before. Just use tokens, generate keys, make access masks, use user-agents to detected if its ok to use etc.. Theres no need to panic, if i hack the get requests so what? anyone can do that regardless if it goes through javascript or not!?!
So there is no need to worry and why make duplicate posts? we got told about this the other day!!
Sorry for the dupe post!