[development] AJAX security issue
gerhard at killesreiter.de
Mon May 7 23:57:32 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Ashraf Amayreh schrieb:
> Hello all,
> One of my friends has a sign-up page that contains an AJAX call to the
> server that check the username availability without submitting the page.
> This is not much unlike many sign-up services now-a-days. He was wondering
> how he could prevent someone from abusing this by writing his own page
> could gather information from repeatedly calling the web server via AJAX
> I've read many threads on AJAX security, but none that I have read handle
> such a trivial scenario. The above case is very simple but I'd like to see
> what people have in mind to protect against abusing such a call to gain
> sensitive site data.
If the usernames on your system are sensitive data, then you can't have
an ajax callback on the signup page. It's as simple as that.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the development