Brute Force Attacks On AJAX

Posted on 2007-07-26
Last Modified: 2009-12-16
if someone knows how to spoof all the server variables e.g. http_referer, how do you stop them from writting a loop based on your ajax backend page?

if they look into the ajax frontend page, they will see something like


How do I stop them from using a brute force attach to loop through the above address with all possible querystrings?  For example, their loop might do something like this






So on eventually returning lost of info they can steal.

Can an attach like this be done on gmail if you first login??

If no, how are they stopping brute force attacks like this???
Question by:narmi2
    LVL 75

    Expert Comment

    by:Michel Plungjan
    How does this differ from any other url to dynamic content?

    LVL 1

    Author Comment

    no idea.

    do they also have the same problem?

    if yes, any idea how to stop such a loop from stealing your data?
    LVL 75

    Accepted Solution

    Yes all server have these problems

    1. look at the referrer - should be your homepage - can be spoofed
    2. set a session variable in the page that uses the ajax and read it in the ajax process
    3. look at the speed they come in - do not allow them to come in fast (hard to code - there are programs out there to handle this
    LVL 16

    Assisted Solution

    You could also add forms authentication to your site and thus require a user to be logged in before viewing any other pages. This would prevent the brute force attacks by redirecting them to a login page everytime they tried to request "backend.aspx?something".
    LVL 1

    Author Comment

    I will be having authentication, but cannot have it on all sections.  the part where the authentication exists i am not worried about.  unfortunately, we need to give them nice ajax functionality without them having to login...

    any idea how google-suggest does it?  can a brute force attack be used on their page?

    thanks for all the suggestions

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Suggested Solutions

    Article by: DanRollins
    This article describes a JavaScript program that creates a maze made of hexagonal cells.  In Part 2 (, we'll extend the program by adding a depth-…
    The task A number given should be formatted for easy reading by separating digits into triads. Format must be made inline via JavaScript, i.e., frameworks / functions are not welcome. So let’s take a number like this “12345678.91¿ and format i…
    Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
    The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now