Hide the destination URL

Asked

Viewed 2,593 times

1

In the jquery example the arguments are well identified; url and form parameters.

$.ajax({
  url: "test.html",
}).done(function() {
  // ...
});

I want to know if you have any way to hide the url in ajax or make it as difficult as possible to identify the destination to prevent it being copied and pasted in the browser.

I see the js of other sites and apparently are pure javascript. That implies safety in some way?

  • Take a look here after http://en.m.wikipedia.org/wiki/Cross-site_request_forgery

  • What language do you use on the server? It is possible to identify if the request actually came by ajax, and reply with an error if it did not come.

  • You can put it in a file. JS separated and minified, already makes it difficult a little, encrypt the URL and use a function to decrypt when using, already prevents direct visualization, but if the user is determined to see the URL, nothing can be done.

  • Or better still use a blinder like this

  • What is your language on the server side?

  • PHP usage, but the $_SERVER variable, is 100% guaranteed? They say requests can be simulated'

  • 1

    @Orion, thanks for the link, I’m reading

Show 2 more comments

3 answers

2


No, actually there is no way to hide neither the url nor the values.

Now there are some measures that if necessary can be taken, such as:

  • Add a strict CORS rule to your server

With this you can restrict the use of your api or whatever, to specific domains.

Ex: You have a url that registers the user, you can on the server configure so that only the site www.meusite.com can access, with this some other site will receive an error when trying to access. ( This is browser that bar, a CURL already works)

  • Encrypt

Some of the more sensitive data can be encrypted so that they are of no use to anyone to intercept. Ex: I want to send my user and my password and I want to protect this data, I can make an MD5 and send, there are also other alternatives like bcrypt.. etc..

I hope it helped.

  • I’ve never heard of CORS, I’ll look for it, thank you

2

Forget it! If you encrypt someone you can decrypt, if you overshadow someone you can un-fuse (there is this word?).

If the problem is the user accessing a direct page by the address you should check in the request of this page if its call method is as expected. For example, GET or POST.

  • thanks... I only PHP, the variable $_SERVER say that requests can be 'simulated' is safe?

  • $_SERVER['REQUEST_METHOD'] can use without fear!

1

How to decrypt an MD5 256 or a bcrypt based on comparison hash?

The possibility of course exists, but the cost to do this is very large and very slow, in the case of bcrypt I can tell you that it is almost impossible, since the generated hash is always different and has to be compared through a slow algorithm.

As to desofuscar I did not understand technically how it would be done, as desofuscaria a CORS in the browser?

As for the POST and GET methods, the only difference is that GET sends in the query and POST in the HTTP payload.

In conclusion, no. Don’t forget that. Take into consideration protecting your server with CORS and for the sake of your users use an encryption algorithm for sensitive data.

  • The cost doesn’t pay! Encrypt the url only to prevent the user from not having access to it by the code, when in fact it can capture after the request is performed!

  • At no time did I speak of encrypting the url, but rather the data. How much the url on the server can be added a CORS rule that has nothing with encryption but browser usage restriction.

  • Yes in case obfuscation would be the url address. As for CORS is a good one too. It seems he is already using the request_method!

Browser other questions tagged

You are not signed in. Login or sign up in order to post.