12 Apr 2009

AJAX tampering and leeching

Ray Camden blogged about server side security when using AJAX. He discussed a way to detect the difference between normal HTTP requests for normal web pages and AJAX triggered HTTP requests. To the server they look virtually the same.

The problem with using AJAX is that is adds a vulnerability to web applications. People can play around with URL and form parameters to see what else they can extract from your application or database. It can also be used to leech data from your database on a regular basis because, if your data is of any value to someone else, you’re providing it freely in a machine readable format, typically JSON or XML. How can you do something to stop people do that? I mentioned a possible technique when commenting to Ray’s blog and was asked to come up with some code.

I brewed up a demo app and am seeing if I can get the live code hosted (it’s for ColdFusion but the technique applies to any server side language). Stay tuned…

If you want to play with the code on your own CF server you can download it here. No configuration is necessary, just drop the folder into your web root. The code is highly commented so PHP, RoR and .NET coders can easily modify it.

No comments:

Post a Comment