I'm increasingly using AJAX calls (in Fabrik but that's not exactly relevant here) but I am aware that it's a potential security problem.

The PHP side has the code . . .. . . but you can still do direct AJAX calls while the session's live.

Now rather than just gathering data, I want to fire action queries, so security becomes even more important.

What's the approved method to secure an AJAX call? I imagine you'd encrypt the request variables in JS and then decrypt in PHP. Am I on the track? Can you point to some sample code?

Pete,

That one's a little beyond just the auspices of MJUG... have moved the topic to Help and troubleshooting, but imagine this one's more suited to Joomla.org.

defined('_JEXEC') or die('Restricted access'); is designed to stop direct access from the file when it's not called through a Joomla routine. So if it's an AJAX call in Fabrik, then that's going to be called using _JEXEC, so makes valid access possible.

Perhaps insecureweb.com/javascript/secure-your-a...request-with-jquery/ can give you some assistance... it's all out of my programming knowledge depth at the moment.

Patrick

Thanks, Patrick. I put it under MJUG to show my confidence in our local talent. Fair enought o move it - we'll see what happens.

I don't understand the link you posted maybe 'coz it relates to jQuery which I'm not using.

Pete

Pete,

I'm not a specialist in AJAX, but I think I have a grasp of the principles, the mechanics and the risks. The common risks are in these areas:

• SQL injection attacks
• Exposure of clues and traces to application logic on the client
• Cross-site scripting attacks
• Cross-site request forging attacks: malicious image tags on sites and in e-mails
• JavaScript hijacking: a variant of cross-site request forging that sets script tags to a URL that returns a JSON string in response to a GET request

Broad methods of protection are:

• Most importantly, filter and validate all requests on the server
• Avoid using the HTTP GET request method - rely on POST
• Encode JSON strings on the server rather than the client
• Limit the lifetime of cookies

There are a couple more security concerns if you are using web services: avoid exposing WSDL files, and separate WebMethods and WebServices classes

I tried to attach an excerpt that I thought you might find interesting, but the attachment wouldn't work, so I forwarded it to you separately.

Cheers,

Russell
Principal Consultant | Psicom

if you did not use ajax and went to a new page that made the request how would you secure it ?

If it is no different then that is what you have to do for ajax.

Ajax is just making a normal request to the server, the only difference is that it is being initiated by javascript and the result instead of replacing the whole page is being stored in to a buffer that the java script is processing.