All geek questions in one place

XMLHttpRequest over SSL from an insecure page

How secure is this setting?

The unsecured page 'http://www.site.com' does XMLHttpRequest with POST for url 'https://www.site.com/dosomething.asp'

The dosomething.asp page has the header 'Access-Control-Allow-Origin: http://www.site.com ' set and returns some user data that should be safe.

No mistakes, everything is going well.

How secure is the actual POST request? How safe is the response response from this request?

+4
source share
3 answers

The most significant problem that I see is that your unprotected page is insecure (well, obviously). If someone tried to attack the β€œman in the middle” on this unprotected page, they could edit the functionality of the page (using JavaScript injection, etc.) to intercept the content sent and received from the secure URL. It is best to use both pages in secure mode (SSL / TLS).

+4
source

As soon as you introduce the non-SSL component into the application, you have lost all the benefits of SSL. You are as safe as the weakest part. This is why browsers report mixed SSL / non-SSL content as a security warning to the user.

+2
source

Wireshark is a program that monitors network packets moving across a network. It is free and popular. The final way to answer this question is to get Wireshark, take a day to learn it, and apply it.

The filter for viewing traffic from the source site will look like this:

(ip.src == [source ip address]) && & (ip.dst == [target ip address])

Change ip.src and ip.dst to find out what happens. In fact, you could combine both in one filter expression.

This will work as long as you are on the network through which the packages are distributed.

One last point: here is the PKI description (https / SSL / TLS): http://www.mitre.org/news/the_edge/february_01/steve.html

I wiresharked a similar situation, and confirmed that I send and receive TLS traffic (https). But this was not such a situation, so I do not want to speculate.

-2
source

Source: https://habr.com/ru/post/1386850/

More articles:


All Articles