This is a question has has been bother me for a while, so I am looking for opinions and solutions to clamp down on the possibility of the app being a security risk.
I use jQuery for lots of things, but mainly I use it for processing jQuery dialog windows. A lot of times there is the need to grab a value from a field on the form, concatenate that information with a .serialize() command and pass it off to jQuery ajax call to head over to PHP files for database interaction.
Here comes my question (finally),
Isn’t it riduclasly easy to ‘guess’ what the url could look like for the PHP processing?
You can open the source in a modern browser and click a link to look at the full JavaScript file containing the ajax call.
I could possibly Minify the JavaScript file for obfuscation, but that’s not a form of security to be relied apon.
I am using PDP for databases access with prepared statements for SQL injection attacks, but if someone took to the time to look, couldn’t they just form a valid url send it off to the database and insert what they want?
I am not talking about hacking the database to steel information, I am more talking about inserting malicious information as though the data was added from the application itself. Think adding something to your shopping cart that is $50 for only $25.
If it just as simple as turning the ajax request from GET to POST and changing my PHP files?
Edit: The person is logged in and properly authenticated.
Just wondering what other people out there do.
Thanks!
You are quite correct, anyone who is slightly tech savvy can identify the public server endpoints for any webapp. They don’t even need to look at the code. They can just use their webkit/firebug to track the request, or a program like Charles which monitors network activity.
That’s why you need authentication and authorization handling in your server side code.
Authentication is typically handled by a username and password; it is the act of verifying a user is who he is.
Authorization can be handled by Roles on the server, and is the check to make sure the user can do what they are trying to do.
Which those two mechanisms in place, even if a user knows a url, they still need to “log-in” and have permission to do what they want to do.
Think about it. If you look at your bank account information online, you can easily identify the requests that load your account info. Without these mechanisms, what is to prevent you from simply changed the account-id you pass to the server to try and get someone else’s account info? With authentication/authorization, the server knows that even if it gets a request to load some data, it can check the user’s details to see if they have permission to get that data, and deny the request.