All geek questions in one place

AJAX security question please contact

I have a social network that I create, and I have a security issue. I have the opportunity to have friends on a website, and when you ask a friend, it will be a button that will run the script using AJAX using jQuery.

I know that javascript can be easily hacked, and also read here http://www.acunetix.com/websitesecurity/ajax.htm that AJAX is not as secure as it seems. They claim that “since the HTTP request XML functions operate using the same protocol as anything else on the Internet (HTTP), technically speaking, AJAX-based web applications are vulnerable to the same hacking methodologies as“ regular applications ” .

So basically I don’t want the worm to simply execute friends requests through my AJAX function, and someone signed up on the site and they have 14 million requests from friends. This is also a problem with several other AJAX scripts that I run on the site. The question I have is that I should just keep everything server-side. I use php, so every friend should just reload the page as much as I would like to avoid such a thing? Please any help would be greatly appreciated.

+4
source share
5 answers

If you have security issues, they are not unique to ajax, but there are simple ways to make things more difficult to communicate with.

1) As Diodeus says - absolutely do not let people use your services without authentication through the session. Same as any other page on a website that requires you to be logged in.

2) Strengthen session capture by inserting client information into the session key (cookie) and checking it on the server, for example. IP address, browser version. However, it can be faked.

3) If a particular session makes more than x requests in a certain period of time (for example, 10 per minute), log out and block them for an hour. Set a higher limit to prevent them from being restored by the administrator. Ask the code to send yourself an email when this happens so you know if you have a problem.

4) If you are really worried, use SSL. This is really the only way to completely prevent session hijacking (apart from introducing your own private key encryption mechanism for session data).

5) If you do not use SSL, you cannot stop the possibility of capturing a session, but you can easily protect your user passwords from unauthorized access. For authentication, do the following:

  • Client script requests salt from server (random string)
  • The server sends salt to the client and remembers it using a session
  • The client hashes the password using Sha-256 , for example, with salt, and authenticates with their username and hashed password. The server hash password associated with the user at its own end using the same salt is authenticated if it matches the hash sent by the client. The server forgets that he used it once.

This way, someone watching the session can only see the hashed password, and since the hash is different every time, they cannot log back in using this hash against your service. You still cannot stop them from capturing a session, but you can stop them from viewing your users passwords or the ability to log in on their own.

In fact, capturing a session is not so important, although a full implementation is, of course, facebook via Wi-Fi. If someone comes out with a Firefox plugin to hack your social network, then you should be thrilled because you know you did it.

+5
source

This is not a problem specific to AJAX. It all comes down to checking and disinfecting your data. I assume that users need to register / log in before they can add friends (in the end, how else will you keep track of who with whom?), Here are some obvious points to consider:

  • Add a CAPTCHA or similar to your registration process to reduce bot users. reCAPTCHA seems like an industry standard today (and it's very easy to set up).
  • When processing an AJAX call, make sure that the user is allowed to do what he is doing (i.e. he is logged in, has he activated his account, etc.).
  • When processing a friend’s request, ignore duplicates. Sometimes people tend to ignore friends' requests specifically, and they probably don't want to invite the invitation again when the inviter becomes impatient.
  • Find a way to track suspicious behavior. If a user has sent 50 friend requests in the last two seconds, it is likely that it could be a bot. Lock the account temporarily and ask the person to verify it. It might also be a good idea to hide friend requests from blocked users.

There are many more, but they should start.

+1
source

Set a cookie to log in to the client. Send the cookie using an ajax request and confirm it on the server.

0
source

I’m not sure I completely understand, because if there was some kind of worm or something like sending AJAX requests, why could the same worm not execute requests without an ajax?

In any case, you definitely need to check on the server side to make sure the request is valid. Regardless of whether you want to get some verification regarding the number of friend requests that can be made, it does not depend on whether you use ajax or not.

0
source

Actually there is no such thing as AJAX. The term AJAX is a general description of how things are organized. The so-called "AJAX" request is simply an HTTP GET or PUT.

-1
source

Source: https://habr.com/ru/post/1345150/

More articles:


All Articles