Jump to content

Ajax Hacking Questions.


MrFish
 Share

Recommended Posts

How are people able to hack ajax scripts with GET instead of POST? I used POST for my login/registration scripts but should I also use it from getting admin cms information? All the ajax scripts will be able to be seen if you view source so how hackable is a GET connection? And how can they do it?Edit:Or is there a way to hide the ajax?

Edited by MrFish
Link to comment
Share on other sites

How, exactly? I send data to a PHP script using AJAX, and connect on many pages to my MySQL database. Do I need to do anything special to make the server safe?

Link to comment
Share on other sites

Not necessarily, other than the usual SQL injection protection and things like that. I'm talking about roles in the application, if you have things that only an admin can do you shouldn't rely on only the admin getting the Javascript that lets them do that, you should be checking on the server to make sure that the user who sent the request has admin rights for the application. It's no easier to hack a PHP script through ajax than it is to hack it any other way.

Link to comment
Share on other sites

Ah, ok. Since I only interact with the server via FileZilla, there's no problems with that sort of security. I won't be developing any sort of interface that runs from my site.

Link to comment
Share on other sites

Ah, ok. Since I only interact with the server via FileZilla, there's no problems with that sort of security. I won't be developing any sort of interface that runs from my site.
Wait what? ><Were you talking for me? I'm creating a website for a guy I know (not for pay or anything). I'm making him a CMS where it uses ajax to get all of the information. The admin CP can be accessed by any page as a div that becomes visible on top of the entire page. That means there is a lot of ajax on every page that deal exclusively with admin affairs. I was asking if I could just use-ajaxRequest.open("GET", "page", true);instead of POST and having to include all the SetRequestHeader's. Will this be unsafe?
Link to comment
Share on other sites

Ha, I'm not trying to usurp your topic, sorry - just thought my question fit in the context of this one. JSG knows a lot about my site, since he's helped me with dozens of other queries.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...