TalkPHP - Secure AJAX Server Scripts

TalkPHP (http://www.talkphp.com/forums.php)

- General (http://www.talkphp.com/general/)

- - Secure AJAX Server Scripts (http://www.talkphp.com/general/1633-secure-ajax-server-scripts.html)

Secure AJAX Server Scripts

Hi,

I'm building an information portal using AJAX. However, I have a concern about the security of the server side scripts that perform the AJAX operations. They are secured using sprintf(), so I'm not concerned about SQL injection. However, I am afraid of someone creating a form and posting vars to 'ajaxServer.php' (fictional) and passing in arguments to do things they shouldn't. For example, here is a sample ajaxServer.php:

Code:

include("databasestuff.php");

if (!isset($_POST)) {

     //cant call the page directly

     echo "this script cannot be called directly";

     exit();

}

switch($_POST["a"]) {

        case "close":

             //delete a given module from users' page

             $sql = sprintf("DELETE FROM `User_Module_Setup` WHERE `mod_id` = '%u' AND `User_ID` = '%u' LIMIT 1",$_POST["i"],$_POST["u"]);

             return mysql_query($sql);

        break;

        ...

} //switch

That example would remove a particular module ($_POST["i"]) from user's ($_POST["u"]) page. Is there any way to secure the ajax script against a foreign post? I've already tried session IDs, but the ID is different in the app and when axajServer is called.

Thanks,
Trmbne2000

You need to think that the the ajaxServer.php page is just like any other PHP page. Just because you use JavaScript to get the response, rather than a normal browser request, does not make the security arrangements any different.

In your example above, you would certainly need to check that the person requesting the page is authorised to delete items - like you would for a 'normal' PHP page doing the same job.

I have permissions in my actual script already. Say that I am User #27, someone could send a post to the ajax page using userID of 27. Say User #27 has permission to do the requested action, the forged post could perform the action even though user #27 isn't actually logged in.

The specific issues arise when you begin to use JSON - which comes highly recommend nonetheless, because JSON is typically eval()'d, the return data from the script will be executed like normal Javascript, so I'm sure you can appreciate the problem already.

Gmail was recently exposed as being susceptible to that kind of JSON hack. Thankfully, prototype not only offers a good documentation for the handling of JSON files, but it also provides a truly awesome function for safely parsing the JSON data into an array.

I feel JSON is definitely the way to go. Although AJAX was naturally created to parse XML files, XML can be quite bloated for such a simple task. You just have to remember to also set the content-type of your JSON file to application/json. This can be done using PHP, or simply adding a new MIME type - maybe both:

php Code:

header('content-type: application/json');

I also wrote an article on using JSON with PHP which you may wish to take a read of over here.

I was browsing the web today, and I found an interesting article on securing AJAX apps. Based on that reading, I came up with this idea:
- Append my user session table with an authentication key field
- Each time the app sends a request, it includes the key, and the server checks the auth key against the one in the DB.
- If they match, it performs the action, generates a new random auth key, and returns it as part of a json object to the page.
- The page now has a new auth key to pass for the next call.

What do you think?

--Trmbne2000