Solved

How to avoid information thieves for web services by using AJAX?

Posted on 2009-05-20
6
223 Views
Last Modified: 2012-05-07
I have some AJAX calls made to acquire some information, for example,

MakeAJAXRequest'(getStockPrice.php?symbol=YHOO');

In this case, it's very easy for someone to find out the access of  "http://xxx.com/getStockPrice.php?symbol=yyyy" to obtain certain information, which will increase my server's bandwidth used.

Even using HTTP POST, it's still very easy to find out how to access it. On the other hand, to encrypt the parameter sent or the content, it needs some Javascript code to encrypt/decrypt it, which can be learned easily to crack it if someone is determined.

Any way to protect "getStockPrice.php" from others except my own webpages?

Thanks.

0
Comment
Question by:appstar
  • 3
  • 3
6 Comments
 
LVL 4

Expert Comment

by:pellep
Comment Utility
Here's one way:
1: Create a random sequence of characters when the user first enters your website (when the session is created) and store the sequence in the session
2: Append that sequence of characters to the Ajax URL (in the generated HTML)
3: Compare the sequence to the one stored in the users session when processing the Ajax request
4: If the sequences dont match, send back some error-code (like FORBIDDEN)
0
 

Author Comment

by:appstar
Comment Utility
Hi pellep,

When you say "Create a random sequence", you mean it is created in the backend? But then how is it sent to the frontend which appends it to the AJAX URL? I mean can this sequence be peaked as well?

Beisdes, I never know when the user is logged out if he does not click on logout to abandon the sequence number. And how about the case that requires no user login?

Thanks.
0
 
LVL 4

Expert Comment

by:pellep
Comment Utility
You likely have some php that generates the page with the Ajax-call on. My thinking is that you add some code to that php-page to generate a random sequence of characters. You then

1: Store that sequence in the session
2: Add the sequence as a parameter on the Ajax URL (http://xxx.com/getStockPrice.php?symbol=yyyy&seq=<your generated sequence>)

When the page makes the ajax-call, you compare the seq paramter (in getStockPrice.php) with what you previously stored in the session, if they match you know that the Ajax-call came from "your" page and not somewhere outside.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:appstar
Comment Utility
I don't think I get your solution. First, I don't make Ajax call on a php page but from a javascript in the frontend. Secondly, what if there is no user session used?
0
 
LVL 4

Accepted Solution

by:
pellep earned 125 total points
Comment Utility
Hey there, it's certainly been a while :)

Anyway, to return to your problem: the idea is to create som form of "gateway" if you will to prevent clients from accessing your stock-price URL without first accessing your site.

One way of doing this, like I proposed earlier, is to have php-page from which the AJAX call is made create some random character-sequence and store it in the session. I can't remember exaktly how to create a session in php, but I seem to recall it's something like start_session().

When the php-page then constructs the URL to be used by the AJAX-call on the client (the URL, not the call itself!I), append the random sequence as a parameter to the URL. On the page/servlet that handles the stock-price URL, compare the character-sequence sent in as a parameter with the sequence stored in the session (when making an AJAX call from the page, that request will share the same session as the original page making the AJAX call). If the sequences match, then you know that whoever is calling the stock-price URL is doing it from the page containing the AJAX call.
0
 

Author Closing Comment

by:appstar
Comment Utility
Not exactly what I am looking for
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Read about why website design really matters in today's demanding market.
Although it can be difficult to imagine, someday your child will have a career of his or her own. He or she will likely start a family, buy a home and start having their own children. So, while being a kid is still extremely important, it’s also …
Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now