How to protect my common handler calls?

Question

How to protect my common handler calls?

I am creating a myspace application and for some database records I use common handlers that I posted on another website. From my myspace application, I use ajax calls for these handlers to perform the actions I want. I want to know how can I make these ajax calls secure? I want to say that I want to be sure that the handlers are called only by the myspace application, and not by entering the url into the browser, etc. Any ideas?

+4

security ajax asp.net httphandler

ria Jul 9 '10 at 10:30

source share

3 answers

Pritam baldota · Answer 1 · 2012-02-29T04:13:07+0000

You can protect you from a common mail handler by doing the trick with UrlReferrer, for example,

if (context.Request.UrlReferrer == null) { context.Response.Write("Invalid Request"); return; }

In addition, you can check if UrlReferrer! = Null, then the domain name should match your incoming request URL, for example.

  if(Request.UrlReferrer.ToString().indexOf("http://www.tyamjoli.com")!=-1) { //Valid request }

rook · Answer 2 · 2010-07-09T17:29:01+0000

This is 100% impossible. Everyone will have access to your javascript and can change it as they want. They can use TamperData to view all the requests that the browser makes and drop / modify / play them.

Hugh jeffner · Answer 3 · 2010-07-10T00:28:50+0000

I don't know much about myspace applications, but is there a server component there? If so, you can first request a “token” from the application, which will be an encrypted action and some arbitrary timeout, say, 3 seconds. Then the token is passed to the common handler, which decrypts it, then checks the timeout. If it is valid, then the decrypted action is performed.

External factors, such as network latency and unsynchronized clocks, may not perform some actions. This should prevent simple replay attacks, but is still vulnerable to attack scenarios.

How to protect my common handler calls?

More articles: