Ajax post request security

Question

I am developing a mobile application using PhoneGap which will communicate with a server(PHP) via ajax requests.

On the server side(PHP) Something like https://example.com/retrieveData.php will get the user id via $_POST['user_id'] and return some sensitive information about the user as JSON.

And on the client side(PhoneGap-Javascript) that JSON output will be parsed and will be used in the application.

My concern is that if someone steals this url ( https://example.com/retrieveData.php ), he can manually send fake post requests and can steal the returned user information?

How can I secure this communication?

Answer 1

My concern is that if someone steals this url ( https://example.com/retrieveData.php ), he can manually send fake post requests and can steal the returned user information?

You are right to be concerned. Anybody can send a message to that URL, and get the result unless you check some part of the request that authorizes the request.

For example, you could authenticate to check that the request comes from the user and then authorize the request based on the idea that the user should have access to that info.

Alternatively, you can authorize based on something that only a valid requestor would know via a shared secret and rely on the https part of that URL to prevent shared secrets from becoming public. You give out the secret to trusted partners, and when you generate a web form via PHP (also protected via HTTPS), you include a hidden input containing the shared secret. This is how XSRF protection typically works.

You should think about the following:

1. Who should legitimately be able to reach this page? Logged-in users interacting via your phone app, partners who can protect a secret, web API users?
2. What credentials do they have for using other parts of your server? Log-in cookies? XSRF tokens? Partner tokens?
3. What parts of your app are sent only over secure channels like https?

If all of (1) is satisfied by some subset of credentials in (2) and those credentials are only ever sent over (3) then you just need to check (2) in your page. Otherwise, you need to rework your application architecture until that is true.

OWASP has a Guide to Authorization that might come in handy and they also have a number of pages on reviewing authorization code but most of the examples are not PHP specific.

Answer 2

Of course he can send any post request he wants. The only possible way to get around this is with authentication that the server knows about, i.e. the client has to send you something hard to guess and that starts a session in the server.