Is there an application security flaw when using AJAX?

Asked

Viewed 1,513 times

8

I am a programmer HTML/CSS/PHP a few years and by incredible and more impossible it seems, I’m just entering the world of Javascript with jQuery and AJAX now. My question is whether the security level is affected by passing parameters by AJAX as the source code of the javascript is exposed if we do not decide to encrypt it in any way.

When for example we have to pass parameters to PHP through the AJAX, unless we switch the variables inside the PHP, they are kind of discovered already in the passage of paramenters in the AJAX besides that the urls, at least I for lack of knowledge, beginner, I have passed the urls absolute archives.

How dangerous is that? To what extent would it affect system security? Remembering that this question is not based on wanting opinions but on technical grounds that explain the same.

php jquery html ajax pdo
  • 1

    Sergio’s answer is correct, but just to cover all the bases, please clarify the following: 1) the user authentication continues using cookies, or changed something after you passed to Ajax? 2) Were you protecting yourself against CSRF before? Are you still doing the same now? 3) Do you make Ajax requests for a different domain? (CORS) 4) Can other websites make Ajax requests for your domain? (also CORS)

3 answers

15


The general rule is: never trust anything that comes from the client’s side.

All input that is done by javascript has to be checked on the server side. Only when running PHP can you do the checks you need to avoid code injections.

Do what you can on the javascript side, and what is useful to the user, but then keep the house well and handle the data properly, especially if there is a database that will receive this data.

  • So as magnificent as Javascript is with its runtime requests, we should always take a step back and handle everything we can within the PHP?

  • 2

    @Marcosviniciusnasc.Pereira: exact.

  • It is recommended to encrypt the source code of client-side or totally unnecessary scripts @Sergio?

  • 1

    @Marcosviniciusnasc.Pereira: unnecessary. Who wants to see in it, or makes a code of its own and sends it to the server in it. Take a look here and the explanation to unravel the whole code: http://stackoverflow.com/q/18834309/2256325

3

My question is whether the security level is affected when passing parameters by AJAX since the javascript source code is exposed [...]
The variables inside PHP, they are kind of discovered already in the passage of paramenters

It’s not a problem that deserves attention.
I will just add a few points comparing a Request Ajax using GET and POST method.

1) A common form, independent of AJAX, always has the accessible elements, you can see the names of the fields including changing them.

$.ajax({
        url  : 'page.php',
        type : 'POST',
        data : { nome : 'Papa Charlie' }
        ...
    });



2) Using AJAX as GET simulates a request with parameter exposed in the URL:
www.dominio.com/page.php?name=Papa Charlie

$.ajax({
        url: 'page.php',
        type: 'GET' ,
        data: 'nome = Papa Charlie',
        ...
});

That is, in the POST method you have a form where the fields can be read and edited, and in the GET method you have the simulation of a URL, and both the identification of the parameters is visible. Regardless of the use of AJAX in your application, parameters are always available

No need to change the names in PHP, just check to ensure that the received values ARE of the expected type.

1

Agreeing with the 'Rgio' answer.... My answer is to introduce the "session" in the answer.

It is not recommended nor to carry out from the security point of view pass sensitive information from php to ajax and vice versa... Enhancing sensitive information.

Even with "https" communications that introduce a higher level of security, nothing is safe.

For this purpose and in response to the question, all sensitive information can never or should leave the jurisdiction of the server or the server cluster depending on the situation. Whenever possible use the session to store one or another field, or use the database between calls as it is in fact the only place where the information will remain persistent.

The system must also contemplate checks on who performs any call Ajax... Denying those who make a call outside the scope of the application and for this there are several solutions such as a Token for each call.

Ps: the POST method always. when security is a concern.

  • It seems to make sense the answer, only this line that was not clear to me: "Ps: the POST method always. when security is a concern". Aside from not appearing in the URL, what would be the advantage of the post in relation to security?

  • The fact that it does not appear in the URL... Logo more difficult to be readable and manipulable... Puts the POST the logical choice. So always choose. However and for you nothing solves... Except with the implementation I mentioned.

  • I imagined. It was more to have an idea if there was any more reason for the recommendation. Grateful for the attention!

Browser other questions tagged php jquery html ajax pdo

You are not signed in. Login or sign up in order to post.