All,
I have a PHP website written in Zend Framework and MVC. Most of the controller actions check if the request is an Ajax request or not, else they redirect the user to home page. I am thinking about various ways to break that site. I am considering the following scenario:
- A user creates his own PHP project on his Local machine.
-
User writes a JQuery ajax post request to one of the controllers on my site and tries to post malicious info.
Ex:$.ajax({ type: 'POST', url: "https://marketsite/getinfo/getstuff", cache: false, dataType: "html", success: function(html_response){ alert(html_response); }, error: function(xhr,ajaxOptions,errorThrown){ alert(errorThrown); } });
My Question is does “url” attribute in the ajax request above take absolute path? I know it takes relative path. Also, is it possible to break any site by sending such requests?
Thanks
The Same Origin Policy prevents JavaScript from making a request and reading the response unless it is to the same host, port and protocol.
That doesn’t stop an attacker from making any HTTP request they like (it is trivial to construct one manually that looks the same as one made via JS) and it doesn’t stop an attacker from tricking a user into making any request the attacker likes (it does stop the attacker getting the response to that request though).
There is no need for the attacker to involve PHP or any other server side language to do any of this.
That depends on how the site is written. You should apply the same security checks on URIs designed for access via JavaScript as those designed for access with a direct request from the browser.