jQuery Ajax安全问题

Question

I have been using Jquery Ajax calls in several projects. I'm wondering if these calls to the server are not secure? Consider something like following,

   $.ajax({
            method: "POST",
            contentType: "application/json; charset=utf-8",
            dataType: "json",
            url: "/CMSWebParts/vline/Serviceupdates/ServiceUpdate.aspx/EditPlannedDisruption",
            data: '{"id":"' + id + '"}',
            success: function (res) {
            $("#hdnOverrideId_PlannedDisruption").val(res.d.PlannedDisruptionId);

                $("#edTime2_PublishPlanned").val(res.d.pubtime2);
                if (res.d.Proposed) {
                    $("#chkProposed").prop("checked", true);
                }

                if (res.d.Active) {
                    $("#chkActive").prop("checked", true);
                }

                if (res.d.LinkedOverrideId || res.d.LinkedOverrideId != "null") {
                    $("#btnlinkedOverride").hide();
                    $("#linkedOverride").hide();
                }

            }

        })

If the user checks the browser source he can see this whole code including server method names and parameter names and it provides opportunities for the hackers.

are there any security measures I am missing here?

Answer 1

Well, the only thing you should worry about is encrypting the data you are sending to the server and the data that you receive from the server. You can't do pretty much anything for code inspection on the browser.

Let me explain a little. When someone visits your web page, they already have everything you have designed to work in the browser. You can't do anything about this. You can try to make it a little bit more daunting to get around (minification) but accept that someone will have access to your client-side code.

The real problem is the data that passes through the wire. See, if a hacker inspected the code in his browser, he wouldn't get a lot of useful information (unless you make some obvious mistakes yourself). Sure, they can see where the requests go and what the parameters are to various endpoints. But a properly secured back-end will not even let them send requests to these endpoints without proper authentication and authorization.

Hackers are also interested in capturing other people's details. A very obvious case is usernames and passwords. If you send this data over the wire without proper encryption, that is the real problem.

In short, there's not a lot you can do to protect your source code that runs on the browser. The interested party has whatever they need already and JS does not lend itself to obfuscation. You should be much more interested in securing the data that passes over the wire.

Answer 2

If the user checks the browser source he can see this whole code including server method names and parameter names and it provides opportunities for the hackers.

So, yes any attacker can learn how your application works from an external perspective.

This is why you should ensure your application is secure despite any user being able to work how your application server communicates with the browser.

You need to prevent:

• Attackers gaining access to your server, despite knowing which URLs, methods and parameters are passed.
• Attackers targeting other users of your application through your application (eg stored XSS).
• Attackers targeting other users of your application through their browser (eg reflected XSS, CSRF and other cross-origin attacks - see Same Origin Policy ).
• Attackers abusing the privileges granted to them on their account.
• Countless other attack vectors from being leveraged.

are there any security measures I am missing here?

Check out the OWASP Top 10 for a starting point of vulnerabilities that you should be securing your application against.