I use
$.post('ajax/test.php', function(data) {
$('.result').html(data);});
to send data and retrieve information and show it to the user. But "hackers" can access my file (test.php) just typing it in URL. Is it possible to detect if the call is made from jQuery or not?
Is it possible to detect if the call is made from jQuery or not?
Yes, but the same "hackers" can as easily fake a jQuery call. There is no reliable way to detect whether a call was made from jQuery, or using other means. Anybody can make a request to a resource.
If you have sensitive data on the web, you need to protect it using classical means like a user login, HTTP basic auth, or IP limitations - just like a normal web page.
Check the referrer on the server side. If not from your host, reject.
Related
I have a project where i'm calling a php file from jquery ajax.Inside the php file i have a curl call to a rest API to have some data.This data flow cannot be altered i.e from jquery i call the php file then from php file the api will be called.Now i have to prevent displaying the url in the firebug console when the ajax call is triggered.Any idea how can i achieve this? Here is the code i used for calling the php file.
$.getJSON("file.php",function(data) {
console.log("hello"+data);
});
Now i have to prevent displaying the url in the firebug console when the ajax call is triggered.
Sorry, not possible. If the user's web browser is making a request, the user can see it. Even if you manage to somehow hide it from the web browser, they can still see it in any number of other tools. Any request that comes from the user's machine can be inspected by the user.
If you absolutely need to make this happen, then you need to write a custom client and perform encrypted communication between that client and your server.
Now to the real question... why should this be hidden from the user? If the user shouldn't see the data, then why is the request being made client-side in the first place? Just make the request from server-side code and keep the data server-side. If the user should see the data, then what's the problem? If the user only shouldn't see the URL but should see the data, get the data server-side and only show the data to the user.
If you have a public URL which is providing requestors with sensitive information and you don't want anybody to know what that URL is, you have a security problem. As mentioned in a comment above, security through obscurity is no security at all.
I don't know the proper way to say this, so here is my issue.
I am dealing with an API that sends information to the server, from either web form or whatever in this format:
http://server/non_agent_api.php?source=test&user=6666&pass=1234....
with a bunch more parameters.
Normally, I have dealt with API's that just send it with SOAP or REST, not in a URL like that. My question is how do I send that information using php or something. So if I wanted to take in a username and password from a webform, how do I send that link to the server without clicking on the URL itself.
I hope that makes sense. Thanks for the help.
You can use curl for that like,
Read curl(), here you can find a class which can be easily used.
In PHP use
header("Location: TARGETURL");
Create the TARGETURL using the information sent from the form.
The Location Header makes the server to generate 302 Moved temporarily HTTP return code. The browser then sends the user to the TARGETURL transparently without any further interaction.
I have a file, caller.php, which takes a GET URI that specifies a value to search the database for. The data is then returned in JSON format using php.
I want to protect caller.php so that it is only accessible from another page, get.php, using an AJAX call.
What is the best way to go about this?
I want to protect caller.php so that it is only accessible from another page, get.php, using an AJAX call.
You can't. An AJAX call can be easily faked, as can its origin.
There is no reliable way for you on server side to tell whether a call is an Ajax one or not, nor where it came from.
You need to secure your Ajax resource the same way you would secure a normal page - e.g. through an authorization system like a user login, etcetera.
Without such an authorization system in place, you have to assume that everyone can access the URL.
You could check the session to see if the call is authorized or not. AJAX requests will send you the PHP session cookie. This assumes that caller.php is secured by some kind of user login system that uses sessions
What I'm trying to do is:
I have a form. I submit that form. In the code of the target script I want to make some validations. In a certain case, I want to make a POST to another URL. I don't want to just make a redirect to an URL.
I don't know if this is possible, that's why I'm asking.
I'm working with PHP.
Thanks!
To the people who suggested cURL: Building a request like so will send the data on behalf of the server not the client. I don't think he wants that.
He wants POST forwarding and that, if it were to exist (and I don't think it does), should be implemented by the browser.
What I suggest is to use an AJAX call to make the validation before posting. And then depending on the response you choose the destination for posting (on the client side).
To summarize: You request a validation from the client. You do that validation on the server. You send back instructions to the client. You post according to the instructions received from the server.
I'm not sure if you understand this, but any details of requests made by the user(client) are known in full by him. You can't make him POST to an URL, have a password in that POST, and not have access to that password.
Note: If it's easier you can read JavaScript and PHP instead of client and server.
It is definitely possible. You could use the PHP cURL library to easily create a POST request. But this might be overkill for what you are trying to achieve. Is it a possibiity to do the validation in JavaScript and change the form action attribute with JavaScript after submitting?
In what case would you need to post it to another PHP file.
Couldn't you simply use IF statements to redirect the script to another script depending on the results of the validation?
How do I prevent my users from accessing directly pages meant for ajax calls only?
Passing a key during ajax call seems like a solution, whereas access without the key will not be processed. But it is also easy to fabricate the key, no? Curse of View Source...
p/s: Using Apache as webserver.
EDIT: To answer why, I have jQuery ui-tabs in my index.php, and inside those tabs are forms with scripts, which won't work if they're accessed directly. Why a user would want to do that, I don't know, I just figure I'd be more user friendly by preventing direct access to forms without validation scripts.
There is no way of guaranteeing that they're accessing it through AJAX. Both direct access and AJAX access come from the client, so it can easily be faked.
Why do you want to do this anyways?
If it's because the PHP code isn't very secure, make the PHP code more secure. (For example, if your AJAX passes the user id to the PHP file, write code in the PHP file to make sure that is the correct user id.)
As others have said, Ajax request can be emulated be creating the proper headers.
If you want to have a basic check to see if the request is an Ajax request you can use:
if($_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') {
//Request identified as ajax request
}
However you should never base your security on this check. It will eliminate direct accesses to the page if that is what you need.
It sounds like you might be going about things the wrong way. An AJAX call is just like a standard page request, only by convention the response is not intended for display to the user.
It is, however, still a client request, and so you must be happy for the client to be able to see the response. Obfuscating access using a "key" in this way only serves to complicate things.
I'd actually say the "curse" of view source is a small weapon in the fight against security through obscurity.
So what's your reason for wanting to do this?
If the browser will call your page, either by normal request or ajax, then someone can call it manually. There really isn't a well defined difference between normal and ajax requests as far as the server-client communication goes.
Common case is to pass a header to the server that says "this request was done by ajax". If you're using Prototype, it automatically sets the http header "X-Requested-With" to "XMLHttpRequest" and also some other headers including the prototype version. (See more at http://www.prototypejs.org/api/ajax/options at "requestHeaders" )
Add: In case you're using another AJAX library you can probably add your own header. This is useful for knowing what type of request it was on the server side, and for avoiding simple cases when an ajax page would be requested in the browser. It does not protect your request from everyone because you can't.
COOKIES are not secure... try the $_SESSION. That's pretty much one of the few things that you can actually rely on cross-page that can't be spoofed. Because, of course, it essentially never leaves your control.
thanks, albeit I use
define('IS_AJAX', isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest');
if(IS_AJAX) {
//Request identified as ajax request
}
cheers!
Not sure about this, but possibly check for a referrer header? i think if someone manually typed in your url, it wouldn't have a referrer header, while AJAX calls do (at least in the quickly test I just did on my system).
It's a bad way of checking though. Referrer can be blank for a lot of reasons. Are you trying to stop people from using your web service as a public service or something?
After reading your edit comments, if the forms will be loaded via ajax calls, than you could check window.location to see if the url is your ajax form's url. if it is, go to the right page via document.location
This definitely isn't useful for securing something.. but I think this could be of use if you wanted to have say a php page that generated a whole page if the page was not requested by ajax but only generate the part that you needed returned when ajax was used.. This would allow you to make your site non ajax friendly so if say they click on a link and it's supposed to load a box of comments but they don't have ajax it still sends them to the page that is then generated as a whole page displaying the comments.
Pass your direct requests through index.php and your ajax requests through ajax.php and then dont let the user browse to any other source file directly - make sure that index.php and ajax.php have the appropriate logic to include the code they need.
In the javascript file that calls the script:
var url = "http://website.com/ajax.php?say=hello+world";
xmlHttp.open("GET", url, true);
xmlHttp.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
then in the php file ajax.php:
if($_SERVER['HTTP_X_REQUESTED_WITH'] != "XMLHttpRequest") {
header("Location: http://website.com");
die();
}
Geeks can still call the ajax.php script by forging the header but the rest of my script requires sessions so execution ends when no valid session is detected. I needed this to work in order to redirect people with expired hybridauth sessions to the main site in order to login again because they ended up being redirected to the ajax script.