Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to stop other website to send cross domain ajax requests?

Tags:

jquery

security

cors

asp.net

From 2 different applications, I was able to send cross-orgin requests. Though the browser return an error of Cross-Origin, but my server is still receiving and executing the request. For example, from a remote site, I can invoke cross-domain request using,

$.ajax({
        xhrFields: {
            withCredentials: true
        },
        data:{ my: 'a' },
        url: 'http://MyApp/Page',
        type: 'POST'
})

I know that the browser does not return the response to script, but my server page still execute.

Let's say a innocent user is logged-in a site, http://abc.com. This application will accept post request to insert a record. When innocent user visits to innocent http://HackerSite.com, the http://HackerSite.com will be able to send a POST request to http://abc.com via Ajax. How to avoid this?

like image 396
Imran Qadir Baksh - Baloch Avatar asked Oct 24 '13 12:10

Imran Qadir Baksh - Baloch

Video Answer

2 Answers

The vulnerability you are talking about is CSRF but it can be guarded against.

You can guard against the POST being submitted outside of an AJAX request (e.g. by a HTML form) by sending and checking the X-Requested-With: XMLHttpRequest header. This also cannot be sent cross-domain via AJAX due to this header not being in the safe list (without CORS that is).

However in the past there have been some exploits via plugins such as flash where headers could be set that were not possible via a browser (e.g. Referer) so to guard against this it is recommended to use the synchroniser token pattern which involves setting a token in a hidden field which will be validated as well as cookies for all destructive requests. By destructive I mean requests that change, submit or delete things (i.e. what should be POSTs).

For more info see here: http://www.html5rocks.com/en/tutorials/cors/

like image 119
SilverlightFox Avatar answered Nov 15 '22 04:11

SilverlightFox

On easy solution but that is not totally bulletproof is what we call a "validation token". Every post coming from your website should have a CSRF Token that you validate on the server side to make sure the request really comes from your website. Check this for more information: http://shiflett.org/articles/cross-site-request-forgeries

like image 31
Bene Avatar answered Nov 15 '22 03:11

Bene
Sign in to Comment

Related questions

onclick event is not working on ipad and tablet
Bold a specific text inside a contenteditable div
Uncaught TypeError: Cannot call method 'noConflict' of undefined
Parse header (<h1> -- <h6> tags) to ordered list, using jQuery?
Truncating svg text to fit a rect
Stripe.js - Collecting recipient information
ajaxStart cancels jQuery Autocomplete
What are the most useful Smart Packages for Meteor.js [closed]
Custom class in an array loop wont work
How to change the jquery mmenu to open from the right? [closed]
Dynamically change div's height to parent
innerHTML works in Firefox but not in Chrome
Marionette.js CollectionView, only render specific models
JavaScript/Jquery Collision detection for popup
SCRIPT5009: 'JSON' is undefined in IE 10 The value of the property '$' is null or undefined, not a Function object
Create a slider with columns using Bootstrap
How to stream a mjpeg video on a website
Using Bootstrap tablesorter with ASP.NET gridview
Provide a default 'fail' method for a jQuery deferred object
rails 4, link_to not working with destroy action when jquery, jquery_ujs is required

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!