Menu
Many a times i do some weird things while using jquery ajax. I mean, i keep a hidden variable which contains id and then when somebody clicks button, i run a javascript function which passes ajax request along with the id that is contained in hidden field. Is this normal? What if somebody uses firebug or any such tool and changes the javascript function and passes some other ids? It will update and delete other records which may not belong to that user? How do you all handle this?
451
Since XML HTTP requests function by using the same protocol as all else on the web (HTTP), technically speaking, AJAX-based web applications are vulnerable to the same hacking methodologies as 'normal' applications.
Since AJAX calls are encrypted with a session key, AJAX queries cannot be sent directly to the server. If an attempt is made to send queries directly, the response given by the page will be "Forbidden," as the page expects to receive encrypted text in the AJAX call.
While JQuery is a library for better client-side web page development, AJAX is a technique of doing XMLHttpRequest to the server from the web page and sending/retrieving data used on a web page. AJAX can change data without reloading the web page. In other words, it implements partial server requests.
You need to secure this server-side, you can't protect it on the client-side, nor should you.
JavaScript is viewable, executable, dynamic, open...it's everything you would want when doing...well, whatever you want with it, which is a very bad thing for security. You need to check the passed id against what the user should have access to on the server when processing the request.
Anything, and I mean anything you do on the client is a deterrent, not a solution, and really there are no effective JavaScript deterrents I've ever seen. Even if you could secure it, I can just open Firebug, Fiddler, Wireshark, Chrome console or one of a dozen other tools to see what the request is ultimately sending anyway.
119
Never trust your users' input: validate the id on the server.
43
You should always be checking the input on the server side when the data is submitted. For example if a user was editing their profile on the site, you would not put the profile ID in a hidden variable, you would derive the profile ID based on the users cookie/session when the data was submitted. The key phrase is absolutely never trust the client.
21
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
