All geek questions in one place

Is it possible to hack AJAX?

Ok, so today I had very good experience in my built systems. Some guy โ€œhackedโ€ everything and said that it was an ajax problem. Here is what he told me:

you rely on ajax
when I have access to a user browser I have access to all the AJAX functions that you wrote to him so I can do everything that is written in your javascript pretending to be that user

and this is completely unstable - how can I access user scripts through ajax? I also use node on the server, but cannot figure out where the problem is. Ajax example:

var transfer_data = { id: jQuery(this).data('spin-id') }; jQuery.ajax({ url: init_s.forms.provably.callback, type: 'POST', dataType: 'JSON', data: transfer_data, success: function (data) { console.log(data); if (data.type == 'failed') { jQuery('#check_modal').modal('toggle'); } else { // add data } }, error: function (e) { console.log(e.message); } });

and an example of running a node script:

 socket.on('new_spin_entry', function (data) { ... }); socket.emit('new_spin_entry', { entry_id: data.user_spin_data.id });

so what is it? how is this possible?

PS I forgot to mention that he inserted an alert into my script, which was uploaded to the page. Not server scripts, but scripts that were downloaded to the user

PPS: this is what I see in the console. ATM system does not work: enter image here

+5
source share
2 answers

If someone has full access to the browser, they can run any code that they like in it, including modifying or adding JavaScript to your pages. This is completely unrelated to the site using Ajax: any point at which the client interacts with the server can be vulnerable.

If they can only change the page for the browser they use, then this is normal behavior and there is nothing to worry about.

If they can enter data via a link or by submitting a form from another site, then you are vulnerable to repulsive XSS attacks.

If they can enter data that is stored somewhere on your server, which causes the script to run for other users, then you are vulnerable to storing XSS attacks.

If they can do this only if they are an authorized user, you need to limit / correctly encode the presented data (since your authorized users cannot be trusted).

If they can do this, if an authorized user visits a page hosted elsewhere, then you are vulnerable to CSRF attacks and you need to implement protection against them (nonces is a common solution).

See also:

+6
source

Any variables sent on the client side can be changed by the hacker before they are sent to your server, which processes the request. To prevent this, you should use server-side validation while processing the received data. Never trust any form of user input or variables obtained directly from a client that you can manipulate . So, for example, in this case, you could use session variables to verify that the transfer data really belongs to the registered user, and also make sure that they do not contain any malicious code, such as sql queries designed to exploit vulnerabilities security in your code.

Hope this helps!

+3
source

Source: https://habr.com/ru/post/1235399/

More articles:


All Articles