All geek questions in one place

How to stop another site to send requests to ajax cross domain?

From two different applications, I was able to send cross-orgin requests. Although the browser returns a Cross-Origin error, my server is still accepting and executing the request. For example, from a remote site I can call a cross-domain request using

$.ajax({ xhrFields: { withCredentials: true }, data:{ my: 'a' }, url: 'http://MyApp/Page', type: 'POST' })

I know that the browser does not return a response to the script, but my server page is still executing.

Say an innocent user is registered on the site, http://abc.com . This application will accept a mail request to insert a record. When an innocent user visits the innocent http://HackerSite.com , http://HackerSite.com will be able to send a POST request to http://abc.com through Ajax. How to avoid this?

+6
source share
3 answers

The vulnerability you are talking about is CSRF , but it can be protected.

You can protect against POST being sent outside of an AJAX request (for example, in HTML form) by sending and checking the X-Requested-With: XMLHttpRequest header. It is also not possible to pass through the domain via AJAX due to the fact that this header is not in a secure list (without CORS ).

However, in the past there were some exploits through plugins, such as flash, where headers can be set that were not accessible through the browser (for example, Referer ), therefore, to protect against this, it is recommended to use the synchronizer token template , which includes setting the marker in hidden field to be checked, as well as cookies for all destructive requests. By destructive, I mean requests that modify, represent, or delete things (that is, what should be a POST).

See here for more details: http://www.html5rocks.com/en/tutorials/cors/

+2
source

In a simple solution, but it’s not entirely bulletproof, we call the “verification token”. Each post sent from your site must have a CSRF token that you check on the server side to make sure that the request really comes from your site. Check this out for more information: http://shiflett.org/articles/cross-site-request-forgeries

+1
source

The Access-Control-Allow-Origin header must be set appropriately to prohibit domains other than those you need. however, this only works for modern browsers. contact http://encosia.com/using-cors-to-access-asp-net-services-across-domains/ http://code.google.com/p/html5security/wiki/CrossOriginRequestSecurity

0
source

Source: https://habr.com/ru/post/956642/

More articles:


All Articles