15

This question is inspired by this security question https://security.stackexchange.com/questions/1707

  1. What are the threats in using Ajax? (Please note I am talking about security threats, not features drawbacks)
  2. How do I do Ajax securely? (Please give examples, preferably examples in PHP since I am using the CakePHP framework.)
Kim Stacks
  • 905
  • 9
  • 21

2 Answers2

16

Ajax is just pasing data over HTTP - it's not magic - so you secure it in exactly the same way you do with your normal webpages -

  • check for authentication and authorization
  • Encrypt or add salted hash checks to data exported to the browser for resubmission
  • treat any data received in the request as potentially dangerous
  • use HTTPS where its appropriate
  • transform data leaving your PHP using the right method for were its going (htmlentities, mysql_real_escape_string
  • transform data entering your script using the right method based on its origin (e.g. json_decode)
symcbean
  • 18,418
  • 40
  • 74
  • if as a logged in user, some actions are executed via ajax, how do we check for authorization? what about CSRF protection? – Kim Stacks Feb 12 '11 at 10:20
  • 1
    I suggest clarifying that the point is that you can't trust anything that comes from the browser, even if you designed your Ajax to do form validation or whatever. The user may manipulate the javascript at their end, or a MITM may have replaced the scripts entirely. So just do all the same server-side authentication and data checks you normally would. – nealmcb Feb 18 '11 at 02:02
  • How about a specific code example in any language? for checking authentication? i think i will definitely benefit from that. – Kim Stacks Feb 20 '11 at 16:10
  • Are there any new problems specific to the way AJAX is done/being used? How do you do security on top of a stateless protocol? – Marcin Apr 26 '11 at 12:41
  • Good points in general, but [`mysql_real_escape_string` certainly isn't the right method to protect against MySQL injection attacks in PHP](http://stackoverflow.com/q/5741187/372643). – Bruno Feb 08 '14 at 18:50
  • @Bruno: True mysql_real_escape_string() will not protect you from very sloppy programming - but if the demonstration you reference is an example of the quality of code on site, then they will have plenty other security problems to worry about. – symcbean Feb 08 '14 at 23:06
6

The threats with AJAX are the same that are faced with normal web request: XSS, SQL Injection, etc. One thing to note is that with AJAX, if you load data from a untrusted source (for example some webservice), you should also validate that data on the client, not just on the server, or else someone can potentially inject javascript and other nasty things.

Use the same methods to secure the request as you would use normally, since AJAX is just a HTTP request. But keep in mind that besides checking for the "normal" things (check the users privileges, sanitize the data, etc), also check if he really made the request or if he was tricked (for example a link on another page). To do that, include a CSRF-token in each AJAX request and validate it on the server side (see What is the correct way to implement anti-CSRF form tokens?). Though it is recommended that a CSRF token is used even in normal requests.

Another thing is that depending on what you do with on the client side, also sanitize the data there. Else an attacker could inject harmful code into the page. This is especially important if you get data from a third party, but best do it for all input.

Andreas Arnold
  • 2,423
  • 20
  • 19