Im using this ajax function to insert a product from an eccommerce site into the database.
I see that this method is very insecure, some experienced users with programming knowledge can use this ajax and insert products , or something else.
I read in others post that propose as a solution to use hidden input fields with a token, but as I said some experienced users with programming knowledge will find it.
Is there some REAL way to make this "add product" function secure without refreshing the page in every insert?
$(document).on('click','#save',function(e) {
var vidArt = $(".imagepreview").attr('value');
$.ajax({
data: {idArt: vidArt},
type: "POST",
url: "classes/add_to_cart.php",
success: function(data){
}
});
});
It doesn't matter if you design your API to be used by Ajax or by whole new page loads. An HTTP request is an HTTP request and people can make whatever HTTP requests they like.
There is no way to ensure that an HTTP request comes from code you have written.
However, that should not matter. If you are going to let the user add_to_cart using the user interface you designed, why worry if they add_to_cart using a user interface they designed?
If you want to impose restrictions (such as "Only products with an X in the name can be added") then impose those restrictions using your server-side code and not the user interface.
Related
I'm working on a project and I've decided to execute submit forms with AJAX for multiple reasons and I have this function;
I've tried to call the delete(someid) function from the console of my browser and it worked; This is now a security concern;
How can I achieve this?
Below is a code snippet illustrating it:
function delete(someid) {
$.ajax({
type: 'POST',
url: 'delete',
data: {
id: 'someid'
}
});
}
I tried to call the delete(someid) function from the console in the browser and that worked wich is now a security issue.
This isn't a security issue from the client side. As far as I know, there is no way to disable people from using the console to call javascript to be used against your API, and even if it is possible there would be over 100 different ways of getting around that.
For this, the security issue would be from your server/api side, and you should be checking requests before doing any sort of actual deleting with server side code.
So the security issue that I saw if that any user can call the delete function with any given id " and that function will delete a persone from a database with the given id.
This would be a server side issue. You need to be doing some sort of authorization on the user. It's a pretty broad topic to answer in a single answer.
Generally the flow you would have, is the user makes a delete request to your server, the server would have some sort of information for the user sending the request (like an id), and the server would then check and see if the user with that id has the ability to delete users from the database.
I am creating an application, that accepts a ajax call (jquery) and returns the validated user an entry token to the website.
Say for example the ajax is called checkAuth.php and there are all the other php files in this directory. By changing the JS to validate another file like checkMail.php for example:
var xmlRequest = $.ajax({
url: "checkAuth.php",
processData: false,
data: xmlDocument
});
change the url to checkMail.php and create a vulnerability in the site?
var xmlRequest = $.ajax({
url: "checkMail.php",
processData: false,
data: xmlDocument
});
Although the result would return a different object but by doing so would this create an "open door" perhaps where the malicious user would keep sending requests in order to gain access? I understand that the user would have to know that the php file exists however I am unsure how to process this securely whilst maintaining my directory structure.
Please note this is not my actual code and I cant clarify the answer with these other posts or I am not understanding this correctly.
Edit: In addition - would this mean that any site using jquery would be able to ajax request any file from the server and create a vulnerability?
How to authenticate an AJAX request to a PHP file?
Question regarding Ajax Hacking
Ajax Security questions
How to send secure AJAX requests with PHP and jQuery
In general, any AJAX request can access all files which accessible via http request like as user types full URL as the browser address.
So, you have to check security token or something else in the begining of PHP-scripts.
You can restrict access to folders or files using .htaccess, see https://stackoverflow.com/a/11729748/3325396
I've been working on a webpage that has a PHP backend to access a database and generate the basic page HTML. Once loaded, all user interaction is controlled by javascript.
To communicate back to the server I'm using the traditional post method:
jQuery.ajax({
type: 'POST',
url: ajaxurl,
data: postdata,
success: function(data) {
// PHP returns data
}
});
However, the moment I start communicating back to the server using this method, I create lag in the UI and the user experience suffers, especially if they have a slow connection. I've got the usual loading gif spinners and progress bars where appropriate, but I want the UI to be as instant as it can be.
The primary reason I'm going back to the server is to grab information from the database. I've been wondering if there are ways to remove this?
1) Download the database data and access it directly in Javascript? Completely removing to need to go to the server to retrieve data. Is this possible? Are there any libraries for this?
2) In general, are there more efficient ways to retrieve data from a server than using the post method?
Some possible solutions are to preload data where possible, turn on caching on server side if needed, optimize your queries to database, do not return whole html from POST etc.
So here is the desired behavior I'm trying to get:
User goes to a password change web page.
User fills out form and the form PUTs to our REST server.
After a successfully PUT, the user is redirected to the "My Account" page with a message saying, "Password successfully changed".
If they refresh their "My Account" page, the password message should go away. (I.e. it is a one time message.)
Here are solutions I've tried (unsuccessfully):
1) Using JQuery to perform an AJAX PUT to the REST server. This works fine for the PUT, but the redirect has to be in the onSuccess JavaScript and if it passes a message on the URL to the My Account page, then that message hangs around after refresh.
2) Using a traditional form. However, this won't do a PUT ( method does not support put, on post and get). I could do a POST, but that is "wrong" from a REST perspective, because I'm updating the user account record, not creating a new record. The redirect and one-time message could all be handled server side with this solution (RESTlets, Servlets and/or JSP).
Is there are good solution out there? Or must I change my PUT to a POST?
You may do PUT using a traditional form using JavaScript. The only trick is to flash a temporary message. I've seen web frameworks that use a sort of temporary session state for this kind of stuff which requires little effort on your part. If you don't have that available, the trick would be to store a temporary session in the database and reference it through a cookie. It is not straight forward, and that is why web frameworks can really help you in this situation.
The typical setup is as simple as this:
$('form').submit(function () {
$.ajax({
url: 'service/api',
data: $('form').serialize(),
type: 'POST'})
.done(function () {
// perform redirect
});
On the server side you set the temporary session state and delete when complete.
I am trying to use AJAX to securely submit data to a script. After collecting the below values, I am trying to somehow, transmit the collected values, securely, to process.php however, I have never done this before.
I appreciate any suggestions on how to encrypt or somehow secure the below data and submit it with ajax.
My JQuery
$('.process-button').click(function(){
var processNum = $('.process-num').val();
var month = $('.process-month').val();
var amount = $('.charge-amount').val();
$.ajax({
url: "process.php",
type: "post",
success: function(data){
alert(data);
}
});
});
Many thanks in advance!
There may be more that others can point out, but a few security concepts I can think of:
Transmit data using HTTPS. You may need to set up your server software for this. The page you post from may also need to be in HTTPS (so that it will be the same domain)
Do not include any information in the URL, like you often might in a GET request. (ie, POST "provider/patienthistory/patients/frankgumby/"). This is mostly handled by doing it as a POST request.
On PHP, do not trust off the bat that the information is coming from that Javascript call. Assume someone is sending requests from a random page on your site, with made-up data, and ensure said person cannot do anything malicious.