jQuery security issue - javascript

I'm feeling scared about a solution i'm using in one of my app.
Basically, i use this snippet :
var username = ...;
$.ajax({
type: "POST",
url: "getFeed.php",
data: "username="+username,
success: function(html) {
// do the stuff
}
});
My question is : is this hackable ? If you use the chrome/firefox/... build-in code editor and replace var username = ... by var username = 'user1';, would it work ?
Thanks

Yes, anyone with a javascript debugger will be able to change the variable to whatever username they want. JavaScript is always open to the user and can be modified easily.
Typically you would have a login page to authenticate the user (often cookie based), and then on every subsequent request (Ajax or otherwise) you would be able authenticate the cookie and make sure the user is who he says he is. This will however require a server side solution to the authentication.

Related

Best way to run script from several forms on my site

I'm very new to this and trying to figure out the best way to accomplish. I am using Shopify and have been trying to implement a script that runs upon account creation that redirects to my shop page and also subscribes them to my mail list. I have this code in my account.liquid file.
//if(document.referrer == "https://example.com/challenge" || document.referrer == "https://example.com"){
var url = "http://example.us10.list-manage.com/subscribe/post?u=48c8cbb03628105f109c9ea64&id=111111111"
var email = $('.email.note').html();
var path = "https://example.com/collections/all";
setTimeout( function() { window.location.href= path; }, 3000);
$.ajax({
type: "POST",
url: url,
data: {EMAIL : email},
dataType: 'jsonp',
});
//}
I currently have a form on my home page and also a popup that uses the same form in my shop page that both create a customer account. Before I commented out the document.referrer it worked properly only when there was a challenge, but without the challenge it did not work. Now commented out it will run properly, but will also run the script anytime a customer goes to their account page. I obviously only want it to run once upon account creation.
I have a feeling there is a better way to accomplish this and have spent hours searching, but haven't found anything.

How to redirect page in javascript without showing variable in url?

I have been trying to redirect page with variable through javascript.
I have found window.location.href = "test.php?variable=" + variabletosend;
but in this way user can change url and hence values.
Please tell me, how to pass variable to another page through javascript, hidden from user.
Your entire approach is wrong.
You can never trust a URL from a user, nor prevent the user from seeing the URL to the page.
Instead, you need to write server-side code to return an error if the user tries to access they're not supposed to.
You could do something like:
Instead of GET request, use POST (if you don't want parameters in url)
If you want to pass parameter + redirect then, it would be better if you could store those values as session variable.
If you worry about user accessing improper pages of your site you should correclry handle such requests either in server-side running code or using your web-server (IIS, Apache, etc)
You basically want to send the variable to a php page via js.I also had this kind of problems.you should use AJAX request.I know it sounds complex but after you google it this would be easy.In jquery you could use(it would be good to check for syntax error):
$(document).ready(function() {
$.ajax({
type: "POST",
url: 'test.php',
data: { variable : variable },
success: function(data)
{
alert("success!");
}
});
});
use this file."jquery.redirect.js"
$("#btn_id").click(function(){
$.redirect(http://localhost/test/test1.php,
{
user_name: "khan",
city : "Meerut",
country : "country"
});
});
see=https://github.com/mgalante/jquery.redirect

Ajax Login With PHP Issue

I am creating A login system using AJAX,PHP & SQL obviously.
Anyway I am trying to implement A real time login feature so it will log the user in without refreshing the page.
I have done that almost but the only issue when the user clicks remember me that uses cookies instead of sessions but the JQuery isn't proccessing that?
I want it to detect depending if it was checked ether remember the user or not it only starts a session, when it does register a cookie the logout page is not deleting the cookie which he did before i added the jquery code in so nothing on the php end and I am mainly A PHP Developer and still learning.
(I cannot post the server side code for privacy reasons as I be using this in A project
but it looks similar to any other normal php login script)
Here's the JQuery
function validLogin(){
var user_login=$('#user_login').val();
var user_pass=$('#user_pass').val();
var remember_me=$('#remember_me');
var dataString = 'user_login='+ user_login + '&user_pass='+ user_pass;
$("#flash").show();
$("#flash").fadeIn(100).html('Loading..');
$.ajax({
type: "POST",
url: "ajax/procces.php",
data: dataString,
cache: false,
success: function(result){
var result=trim(result);
$("#flash").hide();
if(result=='correct'){
window.location='index.php';
}else{
$("#errorMessage").html(result);
}
}
});
}
function trim(str){
var str=str.replace(/^\s+|\s+$/,'');
return str;
}
Thanks
You don't pass your variable 'remember me' to your ajax request. For instance :
data: {login: user_login, passwd: user_pass, rememberMe: remember_me}
Another point, be careful you treat information from client-side. Never trust the client. Test all your values in PHP.

Execute ajax only one time

I want only execute my ajax post 1 time, i try to avoid to the user refresh the page and execute so much times the ajax post,
I thought in create a cookies, but i don't know, and i'm no sure, somebody know how?
This is my jquery.
var t = jQuery.noConflict();
t( document ).ready(function() {
t.cookie("example", "foo", { expires: 7 }); // Sample 2
console.log( "ready!" );
alert(t.cookie("example"));
var data = '<?php echo json_encode($json_full);?>';
t.ajax({
url: 'my api url',
type: 'POST',
success: function(r) { alert(JSON.stringify(r)) },
dataType: 'JSON',
data: { data: data, }
})
});
/I need run this AJAX only one time because is a checkout page to send the order, and if i refresh the page, send every time the same order, and this i don't want/
Thanks a lot!
Things like these can not be safely controlled on the client's browser. Any user with minimal knowledge in JavaScript will be able to open up the developers tools for their browser and manipulate the code or any values you might have stored (such as deleting the cookie you have set).
This limitation should be implemented on the server.
It really depends on the scope of your application. You might be able to limit the requests per IP address, but that might prevent multiple people from the same office for example loading the page at the same time.
Using user authentication and persistent server storage you'll be able to limit the effect of the request, but you probably won't be able to prevent the actual request from being sent as anyone can make that request even from outside the browser. You could store the user_id of the user that initiated the request and only allow the resulting action to occur if a certain time has passed since the last request.
A better solution to avoid double submits, is to use a POST query for the submit request and let the server respond with a redirect to a normal (harmless) receipt/thankyou page.
Then if the user refreshes the receipt page they will simply repeat the GET request to the receipt page and not the post.
You should still add some checks server side to avoid multiple POST requests somehow (using sessions, timestamps or something), in case a malicious user deliberately tries to resubmit.
This will only work on IE8 and above, but you can use localStorage:
var t = jQuery.noConflict();
t( document ).ready(function() {
t.cookie("example", "foo", { expires: 7 }); // Sample 2
console.log( "ready!" );
alert(t.cookie("example"));
if(localStorage['submitted'] === undefined){
var data = '<?php echo json_encode($json_full);?>';
t.ajax({
url: 'my api url',
type: 'POST',
success: function(r) {
localStorage['submitted'] = true;
alert(JSON.stringify(r));
},
dataType: 'JSON',
data: { data: data, }
})
}
});
This way the first time it will run the AJAX because you haven't set the localStorage variable, but upon success you do and it will not resubmit on page refresh.
If you wanted to have the ability to send again upon a future visit, just use sessionStorage instead of localStorage. Same syntax and everything.

Verifying a twitter account without authentication

My web app was previously using the following function to check the existence of a twitter account:
var checkTwitter = function(username){
$.ajax({
url: 'http://twitter.com/statuses/user_timeline.json?screen_name='+username+'&count=1&suppress_response_codes=true&callback=?',
dataType: 'json',
success: function(data, success){
if(data.error){
//gone bad code
} else {
//gone good code
}
}});
}
Which has been happily working for a month or two. Now the url returns:
{"error":"Not found","request":"\/statuses\/user_timeline.json?screen_name=mildfuzz&count=1&suppress_response_codes=true&callback=?"}
when checking for my own twitter account (#mildfuzz).
What's gone wrong?
Twitter recently changed their API rules maybe it is coz of that?
Try changing to https.
According to Twitter Dev use HTTPS
And you must have an authentication context.
https://api.twitter.com/1/statuses/user_timeline.json?include_entities=true&include_rts=true&screen_name=twitterapi&count=2
You should also change your success function to :
if(data="[]" || data.error || data.errors){
//gone bad code
} else {
//gone good code
}
error (when not authorised) : https://api.twitter.com/1/statuses/user_timeline.json?include_entities=true&include_rts=true&screen_name=test&count=2
errors (when user does not exist): https://api.twitter.com/1/statuses/user_timeline.json?include_entities=true&include_rts=true&screen_name=qsdsqdq&count=2
Also when the user does not exist, it can return an empty array (although i have no idea why) : https://api.twitter.com/1/statuses/user_timeline.json?include_entities=true&include_rts=true&screen_name=dsf&count=2
https://dev.twitter.com/docs/api/1/get/users/lookup
this link fixes it. Twitter now have a function for simply looking a user up, which does not require authentication.

Categories

Resources