How to block external HTTP requests? (providing AJAX calls)

Question

How to block external HTTP requests? (providing AJAX calls)

I want to use the post to update the database and I do not want people to do this manually, i.e. this should only be possible through AJAX on the client. Is there a known cryptographic trick in this scenario?

Let's say I issue a GET request to insert a new user into my database in site.com/adduser/<userid>. Someone might overpopulate my database by issuing fake queries.

+5

security http ajax ring

Peteris May 17 '12 at 14:43

source share

8 answers

.

, , . ( ) ( , ).
site.com/adduser/<userid> call site.com/adduser/<userid>/<token>
, ( )
, /db
, .

+3

Rahul Prasad 21 . '12 22:54

( ), , , - , .

. - . : , - - . , , ( - ). , , : , , - , , , . , . , , ( ). , , , .

+2

Enno 26 '12 18:24

, ajax, , .

( , )...

( );
, ( );
/ .

, . - , .

+1

Andrew Leach 21 '12 8:04

, CSRF, : AJAX, eslewhere ( , , sessin ), Chriss Shiflett , OWASP CSRF PHP

+1

symcbean 21 '12 8:25

: . , , , , .

, , . / . , . , , , - , .

+1

Gumbo 26 '12 18:44

-: , .

0

Diodeus - James MacFarlane 17 '12 18:46

The solution adds a bold line to ajax requests. You should also look at basic authentication, this will not be the only defender. You can catch the proceeds with this code from the ajax page

Ajax call

function callit()
{
 if(window.XMLHttpRequest){xmlhttp=new XMLHttpRequest();}else{xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");}
 xmlhttp.onreadystatechange=function(){if(xmlhttp.readyState==4&&xmlhttp.status==200){document.getElementById('alp').innerHTML=xmlhttp.responseText;}}
 xmlhttp.open("get", "call.asp", true);
 **xmlhttp.setRequestHeader("X-Requested-With","XMLHttpRequest");**
 xmlhttp.send();
}

Requested PHP / ASP Request

ASP

If Request.ServerVariables("HTTP_X-Requested-With") = "XMLHttpRequest" Then
 'Do stuff
Else
 'Kill it
End If

Php

if( isset( $_SERVER['HTTP_X_REQUESTED_WITH'] ) && ( $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest' ) )
{
 //Do stuff
} else {
 //Kill it
}

0

Bora alp arat May 23 '12 at 23:11

source share

lanzz · Accepted Answer · 2012-05-26T20:18:10+0000

In this case, it is impossible to avoid forged requests, since the client browser already has everything necessary to fulfill the request; it is only a matter of some debugging for the malicious user to figure out how to make arbitrary requests to your server and possibly even use your own code to simplify it. You do not need "cryptographic tricks", you only need obfuscation, and this will only make forging a little uncomfortable, but still not impossible.

How to block external HTTP requests? (providing AJAX calls)

More articles: