PDA

View Full Version : is ajax is hackable?



ricky
08-29-2013, 12:29 PM
Hi,

I want to make some port of website in ajax but i heard that it is hackable so is there any way to make it more secure.I am using server base scripts til now but ajax is faster.

thanks

jscheuer1
08-29-2013, 02:48 PM
It depends upon what you're doing with it. All javascript is hackable, in that a person may use the browser's console or scratch pad to inject their own code into the AJAX call. But this only means that they may post or get with it whatever they want from your domain's public areas. Security of those items is your responsibility. Like if your AJAX code runs a PHP script or page that includes something based upon what's sent via AJAX, make sure that only certain values are actionable, don't allow it to include say - any file, give options as to which among a selection of files it might include. If it sends email, give a selection of email addresses in the PHP part that it may send to based upon what AJAX passes it, do not allow it to send to any email address that's passed from AJAX. Those sorts of things.

For your particular application, ask yourself the question, "If I wanted to use this to do something other than it's intended to do, by changing the data sent with the call, what could I make it do?" Keep in mind that if your call is a POST, it could be changed to include GET data or to be only GET, and visa versa. And of course that the data sent can be changed to anything the would be hacker chooses.

This is not all that different than an ordinary form submission or server side link with a query string. A hacker may make up their own link or form and pass/submit it to your PHP page or script. If that PHP code will do anything the form or link tells it to do, you could have trouble.

djr33
08-29-2013, 03:21 PM
Ajax is a way to combine serverside and clientside code. Clientside code is inherently insecure, at least because it can be modified by the client. But that doesn't mean it can be "hacked" by someone else, any more than anything else on their computer could be hacked.
Serverside code, generally, can't be hacked, because it operates on the server-- of course your server could be hacked.
So then there's a question of whether the content requested by Ajax is actually the content you receive. But since both ends aren't really possible to change without access to the user's computer or your server, I don't see why this would be a problem.

So in theory, no. But there are always possibilities of anything having a security problem. For example, someone could guess your admin password and change settings on your server.

The most common kind of attack would be one in which you allow comments or other kinds of content modification from users; then they could add in some potentially harmful Javascript (including Ajax) code so that visitors would have code they (and you) don't want on the page.


The only "security" feature in Ajax is that cross-domain requests (eg, Ajax code on Google asking to load content from Yahoo) is blocked in most (all modern) browsers. That's generally helpful in preventing (such as in user comments) outside content from being loaded.


So in addition to what John said, we'll need more info about exactly what you're doing with the code and what vulnerabilities it might have. In general, there isn't too much to worry about, beyond normal security precautions.