-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ashraf Amayreh schrieb:
Hello all,
One of my friends has a sign-up page that contains an AJAX call to the server that check the username availability without submitting the page. This is not much unlike many sign-up services now-a-days. He was wondering how he could prevent someone from abusing this by writing his own page which could gather information from repeatedly calling the web server via AJAX calls?
I've read many threads on AJAX security, but none that I have read handle such a trivial scenario. The above case is very simple but I'd like to see what people have in mind to protect against abusing such a call to gain sensitive site data.
If the usernames on your system are sensitive data, then you can't have an ajax callback on the signup page. It's as simple as that. Cheers, Gerhard -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGP7zsfg6TFvELooQRAlIqAKCdCCWciRpfK0iCy+EIM59GJyGKNACgigN6 vsfhXjF7EZYl+mfsgk5sRUI= =0Kor -----END PGP SIGNATURE-----