Is there an application security vulnerability when using AJAX?

8

I'm a HTML/CSS/PHP programmer for a few years and incredible and impossible to look at, I'm just entering the Javascript world with jQuery and AJAX now. My question is whether the security level is affected when we pass parameters by AJAX since the javascript source code is exposed if we do not decide to encrypt it in some way.

When for example we have to pass parameters to PHP through AJAX , unless we change the variables inside the PHP , they are kind of found already in the passage of parameters in the AJAX besides that the urls, at least I for lack of knowledge, beginner, I have passed% absolute% of files.

How dangerous is this? To what extent would this affect system security? Remembering that this question is not based on wanting opinions but technical grounds that explain it.

    
asked by anonymous 30.08.2014 / 22:06

3 answers

15

The general rule is: never trust anything that comes from the client side.

All input that is made by javascript must be checked on the server side. Only when running PHP can you make the checks you need to avoid code injections.

Do what you can on the side of javascript, and what is useful to the user, but then store the house well and handle the data properly, especially if there is a database that will receive such data.

    
30.08.2014 / 22:11
3
  

My question is whether the security level is affected when we pass parameters through AJAX since the javascript source code is exposed [...]
  The variables inside PHP, they are kind of discovered already in the passage of paramentros

It's not a problem that deserves attention.
I'll just add a few points comparing a Request Ajax using GET and POST method.

1) A common form, independent of AJAX, always has the elements accessible, you can see the field names including change them.

$.ajax({
        url  : 'page.php',
        type : 'POST',
        data : { nome : 'Papa Charlie' }
        ...
    });


2) Using AJAX as GET, simulates a request with parameter exposed in the URL:
www.dominio.com/page.php?name=Papa Charlie

$.ajax({
        url: 'page.php',
        type: 'GET' ,
        data: 'nome = Papa Charlie',
        ...
});

That is, in the POST method you have a form where the fields can be read and edited, and in the GET method you have the simulation of a URL, and both the ID of the parameters is visible. Regardless of the use of AJAX in your application, parameters are always available

You do not need to change the names in PHP, just check to make sure that the received values of the expected type are

    
30.08.2014 / 23:38
1

Agreeing with the 'sergio' answer .... My answer is to introduce the 'session' in the answer.

It is not recommended nor to perform from a security point of view pass sensitive information from php to ajax and vice versa ... Reinforcing sensitive information.

Even with "https" communications introducing a higher level of security, nothing is certain.

For this purpose and in response to the question, all sensitive information can never or should be removed from the server or server cluster as the situation arises. Whenever possible use the session to save one or another field, or use the database between calls as it is in fact the only place where the information will persist.

The system should also include checks on who performs any Ajax call ... Denying anyone who makes a call outside the scope of the application and for this there are several solutions such as a Token per call.

Ps: The POST method always. when security is a concern.

    
02.09.2014 / 17:20