I have a PHP webservice that I need to add exclusive access to. This I could do with md5sums or similar, but my problem is that I also have a website that calls the webservice from javascript. So any keys, md5sums, and what I can think of can be read in the javascript and does not provide much security. For example an url like http://my-webservice.com?supersecretkey=omg is easy to read in the javascript and replicate.
What would be the best approach? Sessions? Oauth? I have researched a bit, but I keep running into the problem that most examples are not so that they can be called from javascript.
For something like this, I would go with HMAC:
http://en.wikipedia.org/wiki/HMAC
Securing a javascript client with hmac
I think you should rethink your architecture here. Calling secure web services with javascript is not the way to go. Maybe create server resources that can authenticate the javascript call and perform the necessary data query and return it to the javascript function in Json.
Also bear in mind that not everyone has javascript enabled in their browser, so it might be good to change to a server based call altogether.
Related
I want to fetch the response from adobe analytics which I get in network panel of browser and display in it the page. This there any way to read the response through php. I don't have access to core files. i work as third party implementation team.
The short answer is you can't. php is server-side. Assuming you did the standard javascript Adobe Analytics implementation; well that's client-side. Your server can't see that stuff.
The longer answer is redeploying Adobe Analytics through a server-side implementation. Basically you setup the code but have it point to your server and then you forward it to adobe (proxying), and so now it is exposed to you server-side.
The alternative answer is depending on what it is you are actually trying to accomplish, you can make use of Adobe Analytics' s.registerPostTrackCallback function. Basically it lets you register a callback function to be called after every s.t or s.tl call, and it gives you the full/final request URL sent to the AA collection server. You can then make an AJAX request to pass it to your server and do whatever with it. Or since you mentioned displaying it on page, maybe consider using javascript to render it on the page? But if you're looking for actual response stuff (headers, content) well you're out of luck on this option.
The other other alternative answer is.. this almost sounds like you are looking to make some kind of browser plugin? If so, then on a plugin/extension level, the request/response stuff (including header stuff) is exposed on that level. But again, ultimately this is really a client-side solution..
But first step back and more clearly define what it is you are trying to do. Or if you've done that already, then try (more clearly) to convey that here.
I need to call a PHP Script and Run (a function) on the Server .. by calling from client side by using Javascript. I know only Ajax Call from Javascript.
Is there any other standardized way to communicate from Javascript to PHP?
Please correct me if i'm wroing. Is XMLRPC an another approach?
Nothing that is well supported or practical.
Ajax is just shorthand for "Making an HTTP request from JavaScript without leaving the page".
PHP is heavily geared towards being a server side web language (so it is optimised for being accessed over HTTP). Browsers are focused on accessing content over HTTP.
No, you use a XmlHttpRequest (that is, I assume you don't want the user to experience any sort of page refresh).
To work cross browser easily I'd recommend using a library like jQuery which handles everything for you, everything is nicely encapsulated and abstracted so you don't need to worry about any of the details. That way calling your script becomes extremely easy.
XMLHttpRequest is the best way, as far as I know, but there are other techniques too. There is the old school way some sites still use. Using hidden iframes and sending request through it.You create an iframe with javascript, append it with 0 width and height and the request the php file. The output must be script that somehow communicates with the parent window script.
I am looking for a way to let php act as a browser, does anyone know how to do that? I now how to get pages and how to send get/post forms, but How do i let php interact with AJAX and javascript on a web page?
Don't. PHP is not designed for this sort of thing. While conceivably possible, this'll take an extraordinary amount of work.
Use something designed for this sort of use case, like PhantomJS.
And please, don't be evil. Using this to get around valid anti-bot restrictions would be lame.
I am designing a website, and I really want it to be as secure as possible.
I have a private folder that cannot be accessed (.htaccess) which contains all my php classes (and similar structures), and a public folder that has my Javascript, CSS and a PHP file for the Javascript(via AJAX) to interface with, which in turn accesses the classes in the private folder.
Now here is my issue, and for the life of me I just cannot seem to get my head around this one:
If someone was to look at the js code they would see the commands / data being sent to the publicly available PHP Script (as described above), therefore getting an idea of what commands to use interface with that script and potentially gain access to stored data etc.
now I know that ajax wont work remotely etc but as long as you got the commands from the ajax script you could interface directly with it, so i thought i would do a referrer check on the interface script and that worked perfectly until I realized how easy it was to spoof your referrer header!
does anyone have any ideas on how to secure this. if this just sounds like complete garbage tell me and I'll try and break it down further.
AJAX and JS are client-based - everything they do, any user can do. If you expose an API method to AJAX, you expose it to the user - there's nothing you can do about that. That's your design choice. You could of course obfuscate your API calls, but that doesn't really do anything other than make it less user-friendly.
The bottom line: don't trust any user input, regardless of whether it came from your AJAX code or somewhere else.
Well, someone scripting your site directly would only be able to access the same stuff he already can in UI, right?
If you have an script function doAdminStuff(), you would check server side if the user is logged in AND is an admin, before taking any actions
Relax, dude.
This is SPARTA! WEB.
Every site in the world is "exposed" like this. That's the way the web works, Ajax or non-ajax based.
You can't help it, yet there is no harm in this. There is nothing to secure.
Here are my recommendations:
Use SSL if you are not already.
Use a (software) token for all requests that you want to protect.
To discourage others from reading your javascript files, you can obfuscate them. Dean Edward's packer is a famous one.
Write a script that sniffs logs and data for potentially bad activity. If you are not logging all the activity you need to (like if the apache logs are not enough) consider writing activity to your own log.
don't be paranoid, just filter input params, maybe you should switch on SSL so you ajax requests content will be hard to sniff, etc.
Are you using the ajax-thing only for security-reasons or for any other reason? Because you can build up an architecture like this (a PHP-file as "gateway" and all other PHP-files in access-restricted folder) without using ajax as well. If you want to check out, you could take a look at the default folder structure of Zend Framework. This structure has the advantage that there is no logic visible for your users at all.
Also important is that IE (at least IE 6 & 7 I think) does not send a referrer at all by default so this probably wouldn't work anyway.
I want to write a PHP script that performs a routine task in a web app I use. I am trying to figure out the easiest way to submit a form, click a link, and get some information. What's the easiest way to do this (keeping the session open, etc.).
Javascript would be a better solution than PHP. You can use it in tandem with PHP to submit a form that references the same page, ie. <form method='index.php' action='post'>
If method is GET then you ought to be able to work it out form the URLs of a few real world attempts.
It POST then you are probably SOL unless it's your own web page./app and you know what $_POST it expects ... unless you find a tool to snoop your HTTP traffic and get the POST info from observing a few real wrold examples.
You can use CURL in PHP to simulate submitting data, clicked links, etc., I suppose, but a client-side scripting language like Javascript--as opposed to a server-side language like PHP--is more suited to what you're describing. I'd need more info to give you a specific example.
You will not be able directly emulate those events in PHP as web apps use Javascript on the client side and PHP is a different language and operates on the server side.
Firstly, I would see if there is an open API available for the web app you're wondering about, e.g. Gmail: http://code.google.com/apis/gmail/ . Not all APIs can do what the web app can do, so you'll need to check the documentation to make sure the API does what you want and has an easy way to interface with PHP.
The other option is to essentially reverse engineer how the web app communicates with it's server. Most all web apps operate by sending POST or GET HTTP data in some sort of serialized format like XML, JSON or text. You can use something like the Firebug add-on for Firefox to view POST/GET data. If you know what the server sends to the client and what the client sends to the server, you can essentially write a script using something like CURL to emulate the client in PHP instead of JavaScript. This would take quite a bit of work and probably involves a lot of trail & error.