There is a page where comments and private messages are loaded by ajax . Knowing from somewhere about the possibility of opera changing the code dynamically, I decided to experiment. Data for loading is taken directly from the tag (example: func="12.4.567" ) for a specific element. And this attribute value (invented by me specifically for this purpose) is transmitted to the server for processing. 567 in the example, the id user whose messages you want to download. So, I change this value in the opera, for example, to 45 and the user's messages with id = 45 are loaded. What is it all about? At the same time I am not worthy of being called a hacker, even in quotes. What to do?

  • 2
    But didn’t it seem to you unsafe to give the results of an Ajax request without checking access rights to this data? Simply put: pass the authorization token for each Ajax request and check this token on the server accordingly. - ReinRaus
  • 6
    and opera has nothing to do with it. It is possible to exploit such a lack of security system with a banal socket. - ReinRaus
  • How to check the server access rights to data if tsiferka came? Authorization is. And it is checked. And what's the point? An unauthorized user will not access the page from the LAN. And the authorized one will enter., And not only on his own. Here's how to make the script understand that the figure has been replaced? What is a token? - Garik Pokrovskij
  • one
    Here's how to make the script understand that the figure has been replaced? // Compare session. If the user's session number matches the request number, send messages. If not, inform the administrator of the resource, and send the user a message that he is a cunning coochacker. - knes
  • @Garik Pokrovskij, If you are given a comprehensive answer, mark it as correct (click on the check mark next to the selected answer). - Chad

2 answers 2

  1. Implement authorization for requests (for example, tokens technology - for each request, the server additionally responds with a token (a unique data set) that is waiting for the next request)
  2. Organize the data model so that the user has the right to view certain data (for example, to watch only his messages, then even if replacing the ID, the server will not give the data, because he knows that this user can only watch his messages)
  3. You can’t catch the fact that the digit has been replaced - this is not a quantum transfer :-) You can only complicate the possibility of a substitution - for example, encode the answer at the js level, there are many options.
  4. In any case, you need to build server logic based on the fact that the request can come with any ID - and you need to find out who is requesting the data, and whether it can do it, is it really a possible request (token). The latter is rather a protection against DDoS attacks, the data itself still needs to be checked on the server.

An example of the implementation of a token (I will not say what is good, but it will come down for the idea, do not save paste !!! ):

Server code (php) for example through session:


 <?php session_start(); $last_token = $_SESSION["token"]; $token = $_REQUEST["token"]; if($last_token==$token) { DoSomeThing(); $new_token = uniqid("token"); $_SESSION["token"] = $new_token; $return_data = echo json_encode(array("data"=>array(),"token"=>$new_token)); } else { //We are hacked! or bugged :-) } ?> 

js request code:

  ... current_token = ""; ... $.ajax({url:"request.php", data:{token:current_token}, dataType:"json"}).success(data){ current_token = data.token; ... } 
  • Please show me an example with a token. - Garik Pokrovskij

I wanted to once again talk to the Opera for what they had done to it over the past six months, but she had nothing to do with it. All that is given to the client can be disfigured without it: Chrome - F12, FF - Ctrl + Shift + S.

I do not understand why tokens are advised if there is only one session. Just in request.php you need to check if $_SESSION['current_user'] permissions to read the conversation with $_REQUEST['pm_user'] .

In a nutshell, you had no protection. The browser in general can not affect the security of the site. This should be monitored on the server side, and not on the client side: absolutely any client script can be cracked and get what I don’t know. And tokens will not help here either: in the example of comrade @ Chad, a new token is sent to the client (even if it is ajax), which means there is no protection, since I can still recognize it.

  • A very sensible idea that the client has full control over their browser. - VladD
  • one
    Well, the session is basically just a static token :-) - Chad
  • @VladD, not only that, the client in general may not be a browser, but a bot that parses server responses. In this case, there is no point in talking about data security. @Bars, and I am personally pleased with what they did with the Opera. Together with the webcam a human render appeared in it. Now, for example, I can edit the code on such sites as: jsfiddle, ideone directly from a mobile phone. When the opera was presto it did not work. - ReinRaus pm
  • @ReinRaus: Yeah, or maybe just telnet or netcat. - VladD
  • one
    @Bars, you can’t even imagine what vulnerability is in Opera Mobile on presto. If I were a villain, I would have stolen the saved forms / cookies absolutely from any site that the user visited and who simply went to the site where the specific code was placed. I wrote about the bug in their bugtrack probably a year ago, so nothing has changed. - ReinRaus