I developed an application in ASP.NET MVC. This app has an action that returns a JsonResult and I get it with jquery in client side. Everything works fine but I'd like to know, if is there any way to make a security in this action to return only requests that came from my website.
Is there any way to avoid others websites to request this action? Or avoid javascript in address bar (script injection) ?
Thanks
Short answer: No
Long answer: The only way to know that a request is legitimate is to interpret what's coming with the request. There's no magic in the http protocol. Probably, the most reliable way is to check the referrer and ensure that it's your site. But it's not hard to fool that check..
I have not tried this yet but have been thinking about how I might achieve this as well. My current thoughts are to add a custom attribute to the action that checks a token appended to the cal by the requesting application.
The token would be generated by the calling application based on a seed key that was provided to the requester upon applying to use the API. The custom attribute would authenticate the key before the action ran either allowing or denying the call.
As I said not fully formed yet but was thinking along these lines ... good luck and if you come up with something make sure you post back.
For other sites:
You can check the referrer, but that can be spoofed.
You can check to see if you have an active session with the user.
For the address bar:
There is nothing you can really do about that.
Others Websites can't make requests to your action using ajax because HTTP doesn't allow it, but it can still get called from the address bar, other program or anything.
If you whant to allow calls to your action only from specific parts of your website you can use the the html helper AntiForgeryToken and the attribute [ValidateAntiForgeryToken], you can check a tutorial about this over here: http://haacked.com/archive/2009/04/02/anatomy-of-csrf-attack.aspx. It's pretty much the idea abarr posted.
Related
I'm trying to make an web application that will dynamically inform the user about the dynamic changes occur in server (php/mysql/apache).
I tried to implement a solution through APE (push) server but documentation is poor and the examples are not usable.
Does anyone know a solution that could be implemented to resolve this?
I forgot to add that besause of too many users and they need to constantly check the current status on server AJAX is not best solution.
AJAX was the first choice but we have to replace it.
I suggest you to use AJAX concepts for this purpose.
jQuery AJAX are very easy to implement with the help of Javascript setInterval() function.
You can find jQuery AJAX examples here.
All you need to do is write some PHP code which will return response which contains the changes occurred in Server.
In the Javascript layer check the received response and look for the changes. If it has any changes just populate the changes to the user.
In my app, I will provide my client a javascript plugin, which will collect some HTML data and send to my server. I wonder what's the best way to identify my client. Say someone copied the javascript and put into his website. A similar case is the live chat plugin.
Really your questions it is not very clear to me. I am monitoring it from the beginning, so as no one answers I can say the following:
1.- If your javascript plugin is to plug in websites, as a jquery plugin, then you don't be sure about nothing because the code can easily be modified to remove any security procedure.
2.- If your javascript plugin is to plug in browsers, as a FF addon. Well, indeed can be modified too, but in the most of cases you can track simply with cookies or a login procedure.
Said that I think that if the case is the first (plug in websites) you could identify the websites asking for a authentication token stored in the server's website (requested by AJAX) and add it to the HTML data that is send to your server.
Hopefully you can understand my Emglizch :) and do not say pure garbage.
In the new Yahoo mail inbox, when u click the message it is displayed in a tab automatically (I guess with out server interaction). Does that mean Yahoo loads all the data first and then use them with java script when requested or not...anyho i don't have any idea and I would like if some one explain to me how it works since am planning to do the same with my application. I am sure this will boost application performance and i am eager to know.
I guess Yahoo did something similar to what Hotmail describes here
Basically they decide depending on several aspect what+when to preload...
I have not seen it but what you're describing sounds like dynamic AJAX loading. Basically, only load information when it is requested by the user. This will reduce network load and initial loading times. Most JS libraries have some form of AJAX helper. You can read more on AJAX here and here.
I am pretty sure it does have some server interaction. It definitely is using some sort of AJAX to fetch data from the server and show it to you. There are tons of tutorials about using AJAX which you can refer. You can probably start with http://w3schools.com/ajax/default.asp
I've been looking for better ways to secure my site. Many forums and Q/A sites say jquery variables and HTML attributes may be changed by the end user. How do they do this? If they can alter data and elements on a site, can they insert scripts as well?
For instance I have 2 jquery scripts for a home page. The fist is a "member only" script and the second is a "visitor only" script. Can the end user log into my site, copy the "member only" script, log off, and inject the script so it'll run as a visitor?
Yes, it is safe to assume that nothing on the client side is safe. Using tools like Firebug for Firefox or Developer Tools for Chrome, end users are able to manipulate (add, alter, delete):
Your HTML
Your CSS
Your JS
Your HTTP headers (data packets sent to your server)
Cookies
To answer your question directly: if you are solely relying on JavaScript (and most likely cookies) to track user session state and deliver different content to members and guests, then I can say with absolute certainty that other people will circumvent your security, and it would be trivial to do so.
Designing secure applications is not easy, a constant battle, and takes years to fully master. Hacking applications is very easy, fun for the whole family, and can be learned on YouTube in 20 minutes.
Having said all that, hopefully the content you are containing in the JS is not "mission-critical" or "sensitive-data". If it is, I would seriously weigh the costs of hiring a third party developer who is well versed in security to come in and help you out. Because, like I said earlier, creating a truly secure site is not something easily done.
Short Answer: Yes.
Anything on the users computer can be viewed and changed by the user, and any user can write their own scripts to execute on the page.
For example, you will up vote this post automatically if you paste this in your address bar and hit enter from this page:
javascript: $('#answer-7061924 a.vote-up-off').click();
It's not really hacking because you are the end user running the script yourself, only doing actions the end user can normally do. If you allow the end user on your site to perform actions that affect your server in a way they shouldn't be able to, then you have a problem. For example, if I had a way to make that Javascript execute automatically instead of you having to run it yourself from your address bar. Everyone who came to this page would automatically upvote this answer which would be (obviously) undesired behavior.
Firebug and Greasemonkey can be used to replace any javascript: the nature of the Browser as a client is such that the user can basically have it do anything they want. Your specific scenario is definitely possible.
well, if your scripts are public and not protected by a server side than the Hacker can run it in a browser like mozilla.
you should always keep your protected content in a server side scripting and allow access by the session (or some other server side method)
Yes a user can edit scripts however all scripts are compiled on the user's machine meaning that anything they alter will only affect their machine and not any of your other visitors.
However, if you have paid content which you feed using a "members-only" script then it's safest if you use technology on the server to distribute your members-only content rather than rely on the client scripts to secure your content.
Most security problems occur when the client is allowed to interact with the server and modify data on the server.
Here's a good bit on information you can read about XSS: http://en.wikipedia.org/wiki/Cross-site_scripting
To put it very simply:
The web page is just an interface for clients to use your server. It can be altered in all possible ways and anyone can send any kind of data to your server.
For first, you have to check that the user sending that data to your server has privileges to do so. Usually done by checking against server session.
Then you have to check at your server end that you are only taking the data you want, and nothing more or less and that the data is valid by validating it on your server.
For example if there is a mandatory field in some form that user has to fill out, you have to check that the data is actually sent to server because user may just delete the field from the form and send it without.
Other example is that if you are trying to dynamically add data from the form to database, user may just add new field, like "admin", and set it to 1 and send the form. If you then have admin field in database, the user is set as an admin.
The one of the most important things is to remember avoid SQL injection.
There are many tools to use. They are made for web developers to test if their site is safe. Hackbar is one for example.
I am hoping to create an ajax sign in form, which redirects the user on sign in - this is going to check the username and password in the database, and send a true value to the client.
As such I want to do window.location="http://www.someplace.com/mypage.html";
Is this safe? Is there any way of users disabling javascripts redirects?
The user can always disable anything that is javascript based.
That said, using javascript for redirection is not in itself unsafe, and i don't see an abuse scenario, only a breakage scenario.
All in all it depends how you define safe :)
In addition to Martin good answer, don't forget to protect yourself against SQL injection attacks: user can very easily access your target page by himself and send "fake" AJAX requests with malicious stuff like 1' OR 1=1 as the username or password.
Unlike what you might think, AJAX requests are not totally hidden from the user and can be easily detected and manipulated using simple tools available for anyone.
It's not unsafe, but there are 2 alternatives about redirecting without using JS (or if someone has JS disabled):
1) by adding a meta tag in your head
<meta http-equiv="refresh" content="0;url=http://www.someplace.com/mypage.htm/" />
2) better, by a server side redirect i.e. (php)
<?php
header( 'Location: http://www.someplace.com/mypage.htm' ) ;
?>
Edit: As I replied to #Spudley comment, these are 2 other methods to redirect to a page without JS enabled.. in your case #Ashley Ward I think it's the correct way to redirect a page for an ajax-form :)
P.s. a form should work both in ajax and non-ajax way ;) ..remember what other users correctly said: JS can be disabled
Remember that Javascript is all run in the client browser. The user can see the code, and with the right tools can edit it in-situ.
Therefore nothing is "safe" when you're running in Javascript in the browser. You should always assume that a malicious user can and will modify your ajax calls, tweak your variables and change the flow of your javascript code.
However, as long as you've catered for that by making your server-side code secure (ie preventing SQL injection attacks, etc), then you don't need to worry too much about that. A hacker will be trying to break your site, so there's no need for you to worry about whether things will work for him.
For the purposes of a normal user simply running the code normally, then the answer is Yes: your JS redirect should be perfectly safe. The user can switch off Javascript, but of course the Ajax event wouldn't have worked either if the JS was disabled.
If you've written your ajax code to have a fall-back for non-JS users, then you may want to provide a fall-back for the redirect as well, but in all probability your ajax fall-back would load straight to the redirected page anyway.