Geek Answers Handbook

Can someone crack my ajax request in jquery?

Many times I do some weird things using jquery ajax . I mean, I save a hidden variable that contains id , and then when someone clicks button , I run a javascript function that passes the ajax request along with the id that is contained in the hidden field . This is normal? What if someone uses firebug or any such tool and modifies the javascript function and passes some other ids ? Will it update and delete other records that may not belong to this user? How do you deal with this?

+7
jquery
source share
4 answers

You need to protect this server side, you cannot protect it on the client side, and you should not.

JavaScript is viewable, executable, dynamic, open ... that's all you would like to do ... well, whatever you want with it, which is very bad for security. You need to check the passed identifier with which the user must have access on the server when processing the request.

Everything, and I mean that everything you do on the client is a deterrent, not a solution, and in fact there are no effective JavaScript restraints that I have ever seen. Even if you can protect it, I can simply open Firebug, Fiddler, Wireshark, the Chrome console, or one of a dozen other tools to see what the request ultimately sends.

+14
source share

Never trust user entries: check the identifier on the server.

+6
source share

You should always check the input on the server side when sending data. For example, if a user edited his profile on the site, you would not put the profile identifier in a hidden variable, you would get a profile identifier based on the cookie / user session when the data was sent. The key phrase absolutely does not trust the client.

+2
source share

You must perform a server-side check to ensure that the current user has the right to perform the action based on the current user and context. As you already noted, anyone who has valid credentials can change the return values ​​- they don’t even need to change the code, they can just process the request containing any values ​​they want if they have the correct cookie information.

+1
source share

More articles:


All Articles