Distinguishing a faked XMLHTTP request from a real one

Distinguishing a faked XMLHTTP request from a real one

How can one make sure an Ajax-enabled Web application is able to tell the difference between a real and a faked XMLHTTP request?

    Requires Free Membership to View

    Login

    When you register, you'll receive targeted emails designed to keep you informed of the most relevant information on Agile development, application security, testing & QA, software requirements, and more.

    Hannah Smalltree, Editorial Director

    By submitting your registration information to SearchSoftwareQuality.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSoftwareQuality.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

If the Ajax application is stateful, then the same session or an authentication token is used to authorize the request. However, even in that case you should not trust these requests. Employ proper data validation on the incoming messages. A malicious user could still use his or her valid session or authorization credentials to send malicious values. If the application is stateless, no sessions or authorization tokens were obtained, then there is no secure way to tell the difference.

Ajax security resources:
Ajax application security critical, experts warn

Ajax's effect on Web services security

How to safely deploy Ajax
In both cases all incoming parameters should be stripped from malicious content, such as characters that could be used in injection attacks. Lengths should be constrained and values should be verified against valid patterns. For example, a phone number parameter is validated on the server side to include only phone number digits and allowable characters, and to fall within a certain length range.

You should not rely on distinguishing between real and unreal XMLHTTP (XHR) requests. Do not trust any requests regardless of their origin. The origin does not matter from a security point of view as long as the request does not contain malicious content. When requests need to be authorized, they authenticate themselves correctly with a strong authentication mechanism, that is all you can do.

This was first published in May 2006

Back to top