Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Categories
Best Way to Hide URL in $.ajax - Secure your Webpage
Hey Everybody..
I are working on my website where I am using lots of $.ajax in jquery .. but the url section of it my link on which the POST request is going is visible.Something like below
$.ajax({ type: "POST", url: "update_cust_results.php", data: dataString,
Any suggestions .. how to hide this "update_cust_results.php" url .. In my update_cust_results.php page ,i have given that if that only go further if the user is logged in .. but thats just a basic security measure .. any other good security mechanism from the gurus :)
- 2008- © LowEndBox. Powered by Vanilla. All date/time in UTC.
- Follow @LowEndNetwork
Comments
Check login. No way to hide unless you post to page and load .php with require_once()
- Spam
- Abuse
- Troll
0 • Disagree Agree ThanksGo.php?do=something
//Go.php If match load file etc
(on phone) doesnt really hide anything just more confusing I guess
- Spam
- Abuse
- Troll
0 • Disagree Agree Thankseven javascript encode isnt usefull. But more confusing again
- Spam
- Abuse
- Troll
0 • Disagree Agree ThanksAdd Ajax check to your script http://davidwalsh.name/detect-ajax
[url=http://www.rage4.com/][b]Rage4 DNS - Anycast, GeoDNS, failover, vanity NS and more[/b][/url] | Follow us on [url=https://www.facebook.com/gbshouse.community]Facebook[/url], [url=https://twitter.com/gbshouse]Twitter[/url] or [url=https://plus.google.com/113636478749643454178]Google+[/url]
- Spam
- Abuse
- Troll
0 • Disagree Agree ThanksHiding URL has never been a security measure (even a basic one). You can authenticate requests being sent to an URL though.
Anyone with firebug plugin can track the ajax request URL.
- Spam
- Abuse
- Troll
0 • Disagree Agree Thanks@fresher_06 why exactly do you want to "hide" the URL?
- Spam
- Abuse
- Troll
0 • Disagree Agree Thankssecurity by really weak obscurity
- Spam
- Abuse
- Troll
0 • Disagree Agree ThanksYou need to add security to your PHP file. AJAX passes session data, so do user permissions checking, CSRF protection, blah blah. AJAX isn't going to magically protect you if you can hide the filename somehow.
- Spam
- Abuse
- Troll
0 • Disagree Agree ThanksNo. Whatever you're doing stop now!
Just fix update_cust_results.php
- Spam
- Abuse
- Troll
0 • Disagree Agree Thanks@vedran .. what all security measures i can put in "update_cust_results.php".. at least the few generic ones .. I have the basic user authentication stuff .. but thats all i have right now ..any more suggestions..
- Spam
- Abuse
- Troll
0 • Disagree Agree ThanksUse a form request token that's generated on every page load and stored in the user's session. Send the token in post data. Make sure the posted token matches the session token.
- Spam
- Abuse
- Troll
0 • Disagree Agree Thanksnot possible to hide specially when you have firebug turned on
- Spam
- Abuse
- Troll
0 • Disagree Agree ThanksLike others have said trying to hide things isn't going to work. It's trivial to use a proxy tool like Fiddler to watch all the traffic.
Do good authentication and then your best protection is usually handing random string tokens back and forth. When you page loads include a random string token that is sent to update_cust_results.php. On the server side make sure the proper token is sent. If not reject it.
A great resource is at owasp.org. The technique I described above is covered under CSRF or cross site request forgery. Go and read that site and it's a good start fro writing secure code.
- Spam
- Abuse
- Troll
0 • Disagree Agree Thanks