How to prevent modifying AJAX request
Question
Does anybody have any idea how to prevent AJAX request hijacking / modifying?
As javascript is public in website source, is it possible to manipulate the sent data, fi ?.
$.ajax({
url: endpoint/url,
data: {
id: 523658,
fragile_data: 'it should stay constant'
}
});
2 answers
solution1
3 2018-01-03 23:02:30
Since you have no control over the client side, never trust the client side .
All you can (and have to) do is to validate data on the server side and probably to authenticate users.
solution2
0 2018-01-04 09:54:55
There isn't a way
As part of standard security principle, you should always assume that any information coming from the client cannot be trusted. It must first be passed through a filter and checked to make sure it meets a certain specification. For example, if you ask for an email address and password, you should always encode the field before sending and then check the field server-side to be sure it actually meets an email address syntax. You should also trim it of any extra characters so that you don't fall victim to one of the classic blunders such as
test.user@email.com"; DROP TABLE Users; --
The same applies to AJAX requests. Always sanitise your inputs and always check that any IDs coming back are legitimate (and possible match to a lookup item if they are supposed to).
If you are short on time , there are a bunch of external plugins or frameworks you can get that are free and open source to help prevent attacks on fields such as client-side validators (make sure an email is in a field before it's submitted etc.) as well as checking items server-side to prevent against XSS and SQLi attacks and the likes of. These plugins won't be perfect, but they'll do a large portion of the work for you and allow you to speed up the process a little
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.