Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Securing AJAX Requests via GUID

I'm writing a web app that will be making requests via AJAX and would like to lock down those calls. After a little research, I am considering using some form of random token (string) to be passed back along with the request (GUID?). Here's the important parts of my algorithm:

  1. Assign a token to a JavaScript variable (generated server-side).
  2. Also, store that token in a DB and give it a valid time period (i.e. 10 minutes).
  3. If the token has still not been used and is within it's valid time window, allow the call.
  4. Return requested information if valid, otherwise, log the request and ignore it.

With an eye toward security, does this make sense? For the token, would a GUID work - should it be something else? Is there a good way to encrypt variables in the request?

EDIT:

I understand that these AJAX requests wouldn't be truly "secure" but I would like to add basic security in the sense that I would like to prevent others from using the service I intend to write. This random token would be a basic, front-line defense against abusive calls. The data that would be requested (and even submitted to generate such data) would is HIGHLY unlikely to be repeated.

Maybe I'm wrong in using a GUID... how about a randomly generated string (token)?

like image 957
Aaron Avatar asked Mar 17 '09 02:03

Aaron


People also ask

How can I make AJAX request secure?

An AJAX call can be secured the same way any HTTP request can be secured. First of all, use POST as opposed to GET to hide any sensitive parameters from the URL. Secondly, cross check all your requests for CSRF(Cross-Site Request Forgery) by using a CSRF token.

Are AJAX requests safe?

There is nothing inherently insecure about AJAX, for the most part it is susceptible to most of the same threats and attacks as regular webpages. However, there are also a few attacks that are AJAX-specific, but again it depends on how you code it.

Is AJAX encrypted?

Since AJAX calls are encrypted with a session key, AJAX queries cannot be sent directly to the server. If an attempt is made to send queries directly, the response given by the page will be "Forbidden," as the page expects to receive encrypted text in the AJAX call.

What format are we using to communicate with the server with AJAX requests?

AJAX stands for Asynchronous JavaScript And XML. In a nutshell, it is the use of the XMLHttpRequest object to communicate with servers. It can send and receive information in various formats, including JSON, XML, HTML, and text files.


3 Answers

If you are doing this to trust code that you sent to the client browser, then change direction. You really don't want to trust user input, which includes calls from js that you sent to the browser. The logic on the server should be made so that nothing wrong can be done through there. That said, asp.net uses a signed field, you might want to go that way if absolutely necessary.

Expanding a bit: Asp.net tamper-proofs the viewstate, which is sent as a html hidden field (depending on the configuration). I am sure there are better links as reference, but at least it is mentioned on this one: http://msdn.microsoft.com/en-us/library/ms998288.aspx

validation. This specifies the hashing algorithm used to generate HMACs to make ViewState and forms authentication tickets tamper proof. This attribute is also used to specify the encryption algorithm used for ViewState encryption. This attribute supports the following options:

  • SHA1–SHA1 is used to tamper proof ViewState and, if configured, the forms authentication ticket. When SHA1 is selected for the validation attribute, the algorithm used is HMACSHA1.

A link for the .net class for that algorithm http://msdn.microsoft.com/en-us/library/system.security.cryptography.hmacsha1.hmacsha1.aspx.

Update 2: For tamper-proofing you want to sign the data (not encrypt it). Note that when using cryptography in general, you should really avoid using a custom implementation or algorithm. Regarding the steps, I would stick to:

  • Assign a token to a JavaScript variable (generated server-side). You include info to identify the request and the exact date&time where it was issued. The signature will validate the server side application issued the data.
  • Identify double submits if appropriate.

That said, the reason asp.net validates the viewstate by default, is because devs rely on info coming in there as being handled only by the application when they shouldn't. The same probably applies for your scenario, don't rely on this mechanism. If you want to evaluate whether someone can do something use authentication+authorization. If you want to know the ajax call is sending only valid options, validate them. Don't expose an API at granularity level than the one where you can appropriately authorize the actions. This mechanism is just an extra measure, in case something slipped, not a real protection.

Ps. with the HMACSHA1 above, you would instantiate it with a fixed key

like image 61
eglasius Avatar answered Oct 13 '22 14:10

eglasius


It really depends on what you're trying to accomplish by security. If you mean prevent unauthorized use of the HTTP endpoints there is very little you can do about it since the user will have full access to the HTML and JavaScript used to make the calls.

If you mean preventing someone from sniffing the data in the AJAX requests then I would just use SSL.

A GUID used in the way that you're suggesting is really just reinventing a session id cookie.

like image 25
Bryan Kyle Avatar answered Oct 13 '22 14:10

Bryan Kyle


"Securing" is kind of a vague term. What exactly are you trying to accomplish? Using a GUID is a perfectly fine way to prevent duplicate submissions of the same request, but that is all.

If the information being passed between the client and server is truly sensitive, you should do it over HTTPS. That's really the only answer as far as securing the actual communication is concerned.

Edit: To answer your question regarding whether a GUID is the "right" way - there is no right way to do what you're suggesting. Using any token, whether it's a GUID or something of your own creation, will not have any effect other than preventing duplicate submissions of the same request. That's it.

like image 24
Rex M Avatar answered Oct 13 '22 12:10

Rex M