tuchawat tuchawat - 1 month ago 9
Javascript Question

Is AJAX jquery post data safe for browser/client-side manipulation

test code like this. I have 2 pages. In first page,...

<head>
$(document).ready(function(){
$("#btn").click(function(){
$.ajax({
type: 'POST',
url: 'test2.php',
data: { name: 'doflamingo'},
success: function(response) {
$('body').html(response);
}
});
});
});
</head>
<body>
<input type="button" value="Click" id="btn">
</body>


and in test2.php

<?php
echo $_POST['name']
?>


If I click button on the first page it will show the "doflamingo" text.
but if I go to Firebug of browser and edit the 'doflamingo' to 'luffy' and click the button it still show the 'doflamingo'. So this mean AJAX jquery is secure from hack right? I don't need to add more security right?

Also I edit url from test2.php to random.php but the url still be the 'test2.php

Answer

The behavior is correct , because javascript is loaded in browser memory once it's loaded .

So if you do the same getting the value of an html element this will be change.

There are some points to consider security :

browsers by default they implement the HTTP access control (CORS) see more reference here : CORS

So essentially that means by default you just can recibe request from your own domain.

But , what if you once page is loaded and you try to inject javascript malicious code in f.example inspector of browser? The request will came from a user , so you can't known if this request is a valid request or not...

This is called CSRF (Cross-site request forgery) or XCSRF ( with ajax ) .

A simple way to try handle it , can be a check for the request has been done with a good behavior ...

F.example , you got a page where first is render and then the user will do a request :

  • Server side execute script and send the html to browser ,so we we can attach a indentifier of that "rendered page"

    /**
    * Preventing CSRF
    */
    
    $time = time();
    $_SESSION['time'] = $time;
    
    $salt = 'gxYrE9G5kxlPcPOC1DSTWOehgw9Rb6FQ9q2qr5vpCPhBV418Q9TUYUK91cvd';
    $_SESSION['token']= sha1($salt . $time);
    ...attach this token in a hidden input on html
    
  • Page now is rendered with a token inside an hidden input or meta tag or whatever , so when you make the ajax request you must include this token back to a server and check against you've stored before send html :

    $_POST['crsf'] !==$_SESSION['token']
    

Never trust in a user request , filter all data , and you can do as meany checks as you can , for example minimun Request Throttling , ( just storing the diff in time between request and if this is greater form n seconds discard ... ).

So definitely your answer is not , ajax is not secure for browser / client manipulation as any isn't technology 100% free of security issues.