[development] AJAX security issue

David Metzler metzlerd at metzlerd.com
Tue May 8 17:25:09 UTC 2007 

On May 8, 2007, at 1:01 AM, Ashraf Amayreh wrote:

> David, how could using a captcha help here? By storing the result  
> in a session variable and expecting it back with the AJAX call? How  
> can we change the captcha on the next call without refreshing the  
> page? I haven't really used captcha's before, so apologies if these  
> questions are invalid in this context.
Yes exactly.  but the captcha doesn't necessarily need to change with  
every ajax call.  Only with every main page load. It can be the  
same.  Although, I suppose you could force the image to reload it  
would be disconcerting and annoying for the user.  If I were really  
concerned, I would combine this with some kind of session based timer  
or max number of calls strategy.

>
> What is evident here is that any full client side solution is bound  
> to fail as it is easily manipulated by the client. Thanks.
>
> On 5/8/07, Khalid Baheyeldin <kb at 2bits.com> wrote:
> On 5/7/07, David Metzler <metzlerd at metzlerd.com> wrote:
> True enough, but that being said, there's not a fundamental
> difference between having an ajax script call a php page that checks
> to see if a username has been taken, and having a a web form perform
> the same validation.  So don't assume that Ajax is the problem here,
> just realize that it doesn't provide any additional security either.
>
> The difference is that in AJAX (as most commonly used), if you type  
> "aa",
> then all the users with names beginning with Aa will show up for  
> you, then
> you do "Ab", and get a list, then "Ac", ...etc.
>
> This does not happen in a normal not AJAXified form. All you can get
> is whether the full name you chose exists or not.
>
> Ashraf,
>
> If this data is sensitive, then just don't reveal it. Also, check  
> that there
> is sufficient delay before retrieving results, so as not to get DoS  
> attacks
> by asking for the data too quickly, overloading the database.
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20070508/b07000d5/attachment.htm

More information about the development mailing list