Home/ Questions/Q 3976518
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-20T04:48:50+00:00

Hey guys, I’m doing an AJAX POST call – but with FireBug you can

  • 0

Hey guys, I’m doing an AJAX POST call – but with FireBug you can see all the details (allowing people to bypass the form).

Any tips on Obfuscating this POST (or something along those lines)?

My ajax call:

$.ajax({
        type: "POST",
        url: "php/query.php",
        cache: false,
        data: "action=getWordsByLetter&l="+letter,
        success: function(data){
            dataArray = data.split('|');
            $('#words').html('');
            for(var i = 0; i < (dataArray.length - 1); i++) {
                $('#words').append('<li class="w">'+dataArray[i]+'</li>');
            }
        }
    });

I would prefer to write the code myself as opposed to depending on a plugin 🙂

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    First: reCaptcha

    If bypassing the form is a major problem you can always include reCaptcha which should be included with each post of that particular form.

    I don’t know about the scenario you’re solving, but this will make it more or less impossible to make programmatic POSTs.

    Second: Client side library

    The other way is as suggested a client side library. You can either use a client library and make it easy on yourself or write your own code that will do something similar.

    Third: Dynamic field naming

    As I understand your form has at least one field on it. And you should only process this form when it’s been requested for firstly. What you could do is make this field’s name completely dynamic:

    1. Server side creates the form and sets some dynamic name to your field
    2. Stores the name for later use or encrypt it on the server and store the crypt in a hidden field in the form
    3. Server gets back data
    4. If the field’s name matches previously created name (either stored server side or provided in the hidden name) you should process it otherwise just ignore the request.

    Fourth: Change DOM structure

    If there’s a risk that results will be consumed by bots you can always change the structure of your document in various ways (change container elements, change their CSS class names, IDs etc). Make a list of changes (several of them) and user permutations with that. You can more or less always achieve the result seems visually the same to a human, but a machine will have hard times reading it.

    Standard stuff

    1. Make the process slow for bots but it would work just fine for humans (a 5s delay should not be noticable by humans)
    2. IP restriction – you can allow only one request per x minutes from the same location – this greatly depends on the nature of your form
    3. Honeypot pattern that usually filters out bots from humans.
    • 0