How to avoid information thieves for web services by using AJAX?

I have some AJAX calls made to acquire some information, for example,

MakeAJAXRequest'(getStockPrice.php?symbol=YHOO');

In this case, it's very easy for someone to find out the access of  "http://xxx.com/getStockPrice.php?symbol=yyyy" to obtain certain information, which will increase my server's bandwidth used.

Even using HTTP POST, it's still very easy to find out how to access it. On the other hand, to encrypt the parameter sent or the content, it needs some Javascript code to encrypt/decrypt it, which can be learned easily to crack it if someone is determined.

Any way to protect "getStockPrice.php" from others except my own webpages?

Thanks.

appstarAsked:
Who is Participating?
 
pellepConnect With a Mentor Commented:
Hey there, it's certainly been a while :)

Anyway, to return to your problem: the idea is to create som form of "gateway" if you will to prevent clients from accessing your stock-price URL without first accessing your site.

One way of doing this, like I proposed earlier, is to have php-page from which the AJAX call is made create some random character-sequence and store it in the session. I can't remember exaktly how to create a session in php, but I seem to recall it's something like start_session().

When the php-page then constructs the URL to be used by the AJAX-call on the client (the URL, not the call itself!I), append the random sequence as a parameter to the URL. On the page/servlet that handles the stock-price URL, compare the character-sequence sent in as a parameter with the sequence stored in the session (when making an AJAX call from the page, that request will share the same session as the original page making the AJAX call). If the sequences match, then you know that whoever is calling the stock-price URL is doing it from the page containing the AJAX call.
0
 
pellepCommented:
Here's one way:
1: Create a random sequence of characters when the user first enters your website (when the session is created) and store the sequence in the session
2: Append that sequence of characters to the Ajax URL (in the generated HTML)
3: Compare the sequence to the one stored in the users session when processing the Ajax request
4: If the sequences dont match, send back some error-code (like FORBIDDEN)
0
 
appstarAuthor Commented:
Hi pellep,

When you say "Create a random sequence", you mean it is created in the backend? But then how is it sent to the frontend which appends it to the AJAX URL? I mean can this sequence be peaked as well?

Beisdes, I never know when the user is logged out if he does not click on logout to abandon the sequence number. And how about the case that requires no user login?

Thanks.
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

 
pellepCommented:
You likely have some php that generates the page with the Ajax-call on. My thinking is that you add some code to that php-page to generate a random sequence of characters. You then

1: Store that sequence in the session
2: Add the sequence as a parameter on the Ajax URL (http://xxx.com/getStockPrice.php?symbol=yyyy&seq=<your generated sequence>)

When the page makes the ajax-call, you compare the seq paramter (in getStockPrice.php) with what you previously stored in the session, if they match you know that the Ajax-call came from "your" page and not somewhere outside.
0
 
appstarAuthor Commented:
I don't think I get your solution. First, I don't make Ajax call on a php page but from a javascript in the frontend. Secondly, what if there is no user session used?
0
 
appstarAuthor Commented:
Not exactly what I am looking for
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.