Menu
Ok, so today I had very good experience on my builded systems. Some guy "hacked" everything and said it was an ajax issue. This is what he said to me:
you are relying on AJAX
when I have access to user's browser I have access to all AJAX functions you wrote for him so I can do anything written in your javascript pretending to be that user
and this is absolutely hillarious - how could someone access to user scripts via ajax? Also I'm using node on server but can't realize where the problem is.. the example of ajax:
var transfer_data = {
id: jQuery(this).data('spin-id')
};
jQuery.ajax({
url: init_s.forms.provably.callback,
type: 'POST',
dataType: 'JSON',
data: transfer_data,
success: function (data) {
console.log(data);
if (data.type == 'failed') {
jQuery('#check_modal').modal('toggle');
} else {
// add data
}
}, error: function (e) {
console.log(e.message);
}
});
and the example of running node script:
socket.on('new_spin_entry', function (data) { ... });
socket.emit('new_spin_entry', {
entry_id: data.user_spin_data.id
});
so what the heck is this? how this is even possible?
P.S. I forgot to mention that he inserted alert in my script that was loaded in page. Not the server scripts, but scripts that was loaded to user
P.P.S.: this is what I'm able to see in console ATM system was down: 
475
If someone has complete access to a browser, then they can run any code they like in it - including modifying or adding JavaScript to your pages. That has absolutely nothing to do with a site using Ajax though — any point where the client interacts with the server may be vulnerable.
Ajax is not inherently secure or insecure. It does however open up 'opportunities' for insecure code.
AJAX Security: Client SideJavaScript code is visible to a user/hacker. Hacker can use JavaScript code for inferring server-side weaknesses. JavaScript code is downloaded from the server and executed ("eval") at the client and can compromise the client by mal-intended code.
Whenever an Ajax request completes with an error, jQuery triggers the ajaxError event. Any and all handlers that have been registered with the . ajaxError() method are executed at this time. Note: This handler is not called for cross-domain script and cross-domain JSONP requests.
If someone has complete access to a browser, then they can run any code they like in it - including modifying or adding JavaScript to your pages. That has absolutely nothing to do with a site using Ajax though — any point where the client interacts with the server may be vulnerable.
If they can only alter the page for the browser they are using themselves, then that is normal behaviour and nothing to worry about.
If they can inject data via a link or form submission from another site, then you are vulnerable to reflected XSS attacks.
If they can inject data that is saved somewhere on your server that causes a script to run for other users then you are vulnerable to stored XSS attacks.
If they can only do this if they are an authorised user, then you need to restrict / properly encode submitted data (since your authorised users can't be trusted).
If they can do this by having an authorised user visit a page hosted elsewhere, then you are vulnerable to CSRF attacks and you need to implement protection against them (nonces are the usual solution).
See also:
73
Any variables being sent on the client side can be modified by a hacker before these are sent to your server which handles the request. To prevent this you must use validation on the server side code handling the data being received. Never trust any form of user input or variables received directly from the client that can be manipulated . So for example in this case you could use session variables to validate that the transfer details actually refer to the logged in user, and also check that these do not contain some malicious code such as sql queries designed to exploit security flaws in your code.
Hope this helps!
31
answered Sep 30 '22 16:09
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
