Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Can anybody hack my ajax request in jquery?

Tags:

jquery

Many a times i do some weird things while using jquery ajax. I mean, i keep a hidden variable which contains id and then when somebody clicks button, i run a javascript function which passes ajax request along with the id that is contained in hidden field. Is this normal? What if somebody uses firebug or any such tool and changes the javascript function and passes some other ids? It will update and delete other records which may not belong to that user? How do you all handle this?

like image 451
TCM Avatar asked Jul 16 '10 13:07

TCM

People also ask

Can AJAX be hacked?

Since XML HTTP requests function by using the same protocol as all else on the web (HTTP), technically speaking, AJAX-based web applications are vulnerable to the same hacking methodologies as 'normal' applications.

Are AJAX requests secure?

Since AJAX calls are encrypted with a session key, AJAX queries cannot be sent directly to the server. If an attempt is made to send queries directly, the response given by the page will be "Forbidden," as the page expects to receive encrypted text in the AJAX call.

Is AJAX better than jQuery?

While JQuery is a library for better client-side web page development, AJAX is a technique of doing XMLHttpRequest to the server from the web page and sending/retrieving data used on a web page. AJAX can change data without reloading the web page. In other words, it implements partial server requests.

3 Answers

You need to secure this server-side, you can't protect it on the client-side, nor should you.

JavaScript is viewable, executable, dynamic, open...it's everything you would want when doing...well, whatever you want with it, which is a very bad thing for security. You need to check the passed id against what the user should have access to on the server when processing the request.

Anything, and I mean anything you do on the client is a deterrent, not a solution, and really there are no effective JavaScript deterrents I've ever seen. Even if you could secure it, I can just open Firebug, Fiddler, Wireshark, Chrome console or one of a dozen other tools to see what the request is ultimately sending anyway.

like image 119
Nick Craver Avatar answered Sep 22 '22 18:09

Nick Craver

Never trust your users' input: validate the id on the server.

like image 43
Tomas Aschan Avatar answered Sep 21 '22 18:09

Tomas Aschan

You should always be checking the input on the server side when the data is submitted. For example if a user was editing their profile on the site, you would not put the profile ID in a hidden variable, you would derive the profile ID based on the users cookie/session when the data was submitted. The key phrase is absolutely never trust the client.

like image 21
Fosco Avatar answered Sep 22 '22 18:09

Fosco
Sign in to Comment

Related questions

Owl Carousel Outer Arrow Navigation
Range 0-100 using jQuery inputmask plugin
is there $(document).find('selector') and $('selector') difference
Enable submit button only when all fields are filled
How to handle checkbox click event in datatables
Required fields are not working with ajax
Bootstrap File Input - limit file types
Is jquery .bind() deprecated?
JS table row drag and drop without Jquery UI in 2016
How to to change mouse cursor on chart.js doughnut graph?
DataTable with dropdown Column
Spring MVC with Thymeleaf + Bootstrap using webjars
Uncaught (in promise) Provided element is not within a Document
Keeping key value pairs together in HTML <select/> with jQuery?
jQuery nextAll -- Click on h-element toggles all p-elements until next h
jQuery Cycle pagerAnchorBuilder
jQuery flexible hide/show of fieldsets
Get users number from iPhone using HTML5/jQuery
Loading JSON-encoded AJAX content into jQuery UI tabs
lock all submit button before page fully rendered

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!