Best way to secure AJAX requests in CI?

[eluser]industrial[/eluser]
Hi guys,

I am currently building an JQUERY based CI app that features ajax based requests for most of the events going on.

What is the best way to secure the AJAX requests in CI to make sure that no one can post to my forms from a remote, offsite server?

How do you do it?

[eluser]umefarooq[/eluser]
i just google and found some jquery encryption plugins try these to scure you data, google more you will find more plugins you can use both way in CI and JQuery

http://plugins.jquery.com/project/blowfish

[eluser]Phil Sturgeon[/eluser]
Don't forget that nobody can make AJAX requests to your server unless you specifically allow them to. They can do plenty of other things, but that is ONE thing you don't need to worry about.

[eluser]industrial[/eluser]
[quote author="umefarooq" date="1257969656"]i just google and found some jquery encryption plugins try these to scure you data, google more you will find more plugins you can use both way in CI and JQuery

http://plugins.jquery.com/project/blowfish[/quote]

Hi!
I am a bit unsure if encryption is the way to go.

As I see it, the problem with using encryption lies in verifying that the data actually is decrypted and not just rubbish. How could this be solved?

I mean, it wouldnt be that great to have server busy with doing queries on an non existant "AAQe3gALiwaTyyOY0py0wA=="-value...

What about setting up a session with an encrypted value, send the value together with the form data, decrypt the value and validate it, like a password?

[quote author="Phil Sturgeon" date="1257970346"]Don't forget that nobody can make AJAX requests to your server unless you specifically allow them to. They can do plenty of other things, but that is ONE thing you don't need to worry about.[/quote]

Hi Phil!

First, thanks a lot for your contribution with your cache library!

Is no one available to make AJAX requests due to settings in Codeigniter or is it a serverside limitation?

I found this snippet online that is supposed to only allow Ajax requests to a PHP file. You mean that this is already useless?

Code:

if(isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {

Thanks!

[eluser]Nick Husher[/eluser]
@Phil: I'm not sure I know what you mean. Spoofing an Ajax request ranges from trivially easy to tricky-but-doable without some serious consideration on the part of the developer.

@industrial: What exactly do you mean by secure? You have a few different security concerns related to Ajax requests, and each of them have different solutions and philosophical approaches.

Are you looking to secure the data you pass between the server and the client? I.e. are you planning to send sensitive data across the wire, that could potentially get sniffed off the network? If that's the case, pushing all your asynchronous requests into https is a good first step. HTTPS handles all the encryption transparently, the only downside is that you have to potentially deal with insecure content warnings if you don't do it correctly. You also need to make sure you're rigorous about cross-site scripting attacks, since anything available to one piece of your javascript is available to everything and the last thing you want is some injected code to snitch a password or user ID.

Are you looking to verify that actions taken via Ajax on behalf of a user are actually intended by the user? I'm talking about cross-site request forgery attacks here: if you expose a particular URL that causes a destructive action via ajax (i.e. editing or deletion), and aren't careful about making sure any request to this URL is made with the user's conscious consent, you'll end up with someone losing data by a malicious image tag or nasty form.

Are you looking to secure who has access to your Ajax API? In other words, do you want to exclude anything that isn't your client-side webapp access to your API? There are a few ways to do this, but all of them are tricky and have workarounds for the dedicated spoofer.

[eluser]InsiteFX[/eluser]
Hi,

( I did not write this! )

Any request that the AJAX calls in your pages can make can also be made by someone outside of the application. If done right, you will not be able to tell if they were made as part of an AJAX call from your webapp or by hand/other means.

There are two scenarios I can think of which you might be talking about when you say you want to make sure that only your AJAX calls can post data: either you don't want a malicious user to be able to post data that interferes with another user's data or you actually want to restrict the posts to being in the "flow" of a multi-request operation.

If you are concerned with the first case (someone posting malicious data to/as another user) the solution is the same whether you are using AJAX or not -- you just have to authenticate the user through whatever means is necessary -- usually via session cookie.

If you are concerned with the second case, then you are going to have to do something like issue a unique token at each step of the process, and store the expected token on the server side. Then when a request is made, check that there is a corresponding entry on the server side for the action that is being taken and that the expected tokens match and that that token has not been used yet. If there is no, you reject the request, if there is, then you mark that token as used and process the request.

If what you are concerned about is something other than one of these two scenarios then the answer will depend on more specifics than you have provided.

Use sessions to ensure that any Ajax posts are done in an authenticated context. Think of your Ajax code as just another client to your server, it becomes easier to tackle authentication issues that way.

Enjoy
InsiteFX

[eluser]industrial[/eluser]
[quote author="Nick Husher" date="1258019710"]@Phil: I'm not sure I know what you mean. Spoofing an Ajax request ranges from trivially easy to tricky-but-doable without some serious consideration on the part of the developer.

@industrial: What exactly do you mean by secure? You have a few different security concerns related to Ajax requests, and each of them have different solutions and philosophical approaches.

Are you looking to secure the data you pass between the server and the client? I.e. are you planning to send sensitive data across the wire, that could potentially get sniffed off the network? If that's the case, pushing all your asynchronous requests into https is a good first step. HTTPS handles all the encryption transparently, the only downside is that you have to potentially deal with insecure content warnings if you don't do it correctly. You also need to make sure you're rigorous about cross-site scripting attacks, since anything available to one piece of your javascript is available to everything and the last thing you want is some injected code to snitch a password or user ID.

Are you looking to verify that actions taken via Ajax on behalf of a user are actually intended by the user? I'm talking about cross-site request forgery attacks here: if you expose a particular URL that causes a destructive action via ajax (i.e. editing or deletion), and aren't careful about making sure any request to this URL is made with the user's conscious consent, you'll end up with someone losing data by a malicious image tag or nasty form.

Are you looking to secure who has access to your Ajax API? In other words, do you want to exclude anything that isn't your client-side webapp access to your API? There are a few ways to do this, but all of them are tricky and have workarounds for the dedicated spoofer.[/quote]

Hi Nick,

ATM there is no need to secure the data between client and server with the help of SSL, since the data by itself is harmless.

From my point of view, the problem lies in preventing Cross site-requests that you mentioned and thereby making sure that requests only comes from the website.

You seem to know a couple of ways to handle this. Would you like to share?

[eluser]Jondolar[/eluser]
It seems like you are making this harder than it needs to be (or I am not understanding your problem completely). Create your ajax page exactly the same way you would create it if it was a page load from a web browser. What security would you put in? Would you filter the input? Yes. Would you validate the user? Yes. Would you use a CAPTCHA field? Yes/Maybe. etc, etc. There is nothing different about the server responding to an Ajax request than a standard page load. It's just the format of the data you are returning and how it is used on the receiving end that is different. The server can still use cookies to verify the session user, can still use apache basic authentication, can still filter the data, etc.