[development] AJAX security issue
Gerhard Killesreiter
gerhard at killesreiter.de
Mon May 7 23:57:32 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ashraf Amayreh schrieb:
> Hello all,
>
> One of my friends has a sign-up page that contains an AJAX call to the
> server that check the username availability without submitting the page.
> This is not much unlike many sign-up services now-a-days. He was wondering
> how he could prevent someone from abusing this by writing his own page
> which
> could gather information from repeatedly calling the web server via AJAX
> calls?
>
> I've read many threads on AJAX security, but none that I have read handle
> such a trivial scenario. The above case is very simple but I'd like to see
> what people have in mind to protect against abusing such a call to gain
> sensitive site data.
>
If the usernames on your system are sensitive data, then you can't have
an ajax callback on the signup page. It's as simple as that.
Cheers,
Gerhard
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGP7zsfg6TFvELooQRAlIqAKCdCCWciRpfK0iCy+EIM59GJyGKNACgigN6
vsfhXjF7EZYl+mfsgk5sRUI=
=0Kor
-----END PGP SIGNATURE-----
More information about the development
mailing list