May I explain about the security of AJAX requests. If the following code works for me:

$.ajax({ type: 'POST', url: "ajax.php", dataType: 'text', data: data, success: function(result) { $('#Res').html(result); }

Can an attacker send a POST request directly and thus change the setting in the system? In which case can he do this? How to prevent it? Some secret data I can not obviously transfer, because they can intercept? I know about checking the header on ajax or not, but this is not a reliable method

  • 3
    in this case, it doesn't matter if ajax is a request, or a normal one. Security processing logic lies on your shoulders on the side of the server code. Usually, in order to change / delete something, the user must be authorized. So your task is to determine whether he has the right to perform the requested action or not. and, again, it does not matter whether it is an ajax request or a regular one. - teran
  • Oh, it's an eternal question. Perhaps, not so much I will answer, how many I will orient on searches by the word "steganography". With an open (unprotected) communication channel, this is almost the only way to defend ... - DNS
  • Steganography is a crutch. Normally, you can encrypt data over the open channel. - vp_arth

2 answers 2

In order for someone to change the configs, and similar "hidden" things, then you need to do at least authorization, and set the "users" of the group. And if this is such a group, then change it, if users are not right ... This is the type of work.

    Ajax (Asynchronous Javascript And Xml) is an abbreviation meaning the technology of sending a request to a web server without reloading the page. At the root of this technology is a JavaScript object XMLHttpRequest , which sends a normal HTTP request to the server, no different from any other, performed by means of any tool (navigating through the address line of the browser or the CURL utility)

    Can an attacker send a POST request directly and thus change the setting in the system?

    When you design an API backend (the so-called server part, in your case ajax.php), you need to understand that anyone can access this API (in the case of a public network, such as the Internet). In order to protect private information (settings, in your case), you need to organize user authorization .

    A common scenario could be the following:

    • User authentication on the server (your or trusted) by sending some authorization data, such as login and password.
    • Getting the key on this server
    • Sending this key along with a request to the server to perform some useful action (in your example to ajax.php)

    The server should check such a key for its belonging to a specific authorized user and allow / prohibit the processing of the request depending on the result of the check.

    • authorization you also organize - teran
    • one
      Something porridge you have from authentication and authorization. login / password / receiving the key - all this is authentication, but whether to give you this resource for this key is authorization. - vp_arth
    • @vp_arth thanks. ( you would know how I with class names ) - Artyom Okonechnikov
    • I missed the word "must" there - teran
    • in your common scenario, the first item is just authentication. That is, entering the login password and checking it for stacking flow is authentication (authentication), but checking whether you can write comments with your reputation, post answers, edit questions / answers, and so on is authorization, i.e. check permissions for user. - teran