From 2 different applications, I was able to send cross-orgin requests. Though the browser return an error of Cross-Origin, but my server is still receiving and executing the request. For example, from a remote site, I can invoke cross-domain request using,
$.ajax({
xhrFields: {
withCredentials: true
},
data:{ my: 'a' },
url: 'http://MyApp/Page',
type: 'POST'
})
I know that the browser does not return the response to script, but my server page still execute.
Let's say a innocent user is logged-in a site, http://abc.com. This application will accept post request to insert a record. When innocent user visits to innocent http://HackerSite.com, the http://HackerSite.com will be able to send a POST request to http://abc.com via Ajax. How to avoid this?
The vulnerability you are talking about is CSRF but it can be guarded against.
You can guard against the POST being submitted outside of an AJAX request (e.g. by a HTML form) by sending and checking the X-Requested-With: XMLHttpRequest
header. This also cannot be sent cross-domain via AJAX due to this header not being in the safe list (without CORS that is).
However in the past there have been some exploits via plugins such as flash where headers could be set that were not possible via a browser (e.g. Referer
) so to guard against this it is recommended to use the synchroniser token pattern which involves setting a token in a hidden field which will be validated as well as cookies for all destructive requests. By destructive I mean requests that change, submit or delete things (i.e. what should be POSTs).
For more info see here: http://www.html5rocks.com/en/tutorials/cors/
On easy solution but that is not totally bulletproof is what we call a "validation token". Every post coming from your website should have a CSRF Token that you validate on the server side to make sure the request really comes from your website. Check this for more information: http://shiflett.org/articles/cross-site-request-forgeries
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With