Distinguishing a faked XMLHTTP request from a real one
How can one make sure an Ajax-enabled Web application is able to tell the difference between a real and a faked XMLHTTP request?
If the Ajax application is stateful, then the same session or an authentication token is used to authorize the request. However, even in that case you should not trust these requests. Employ proper data validation on the incoming messages. A malicious user could still use his or her valid session or authorization credentials to send malicious values. If the application is stateless, no sessions or authorization
tokens were obtained, then there is no secure way to tell the difference.
In both cases all incoming parameters should be stripped from malicious content, such as characters that could be used in injection attacks
. Lengths should be constrained and values should be verified against valid patterns. For example, a phone number parameter is validated on the server side to include only phone number digits and allowable characters, and to fall within a certain length range.
You should not rely on distinguishing between real and unreal XMLHTTP (XHR) requests. Do not trust any requests regardless of their origin. The origin does not matter from a security point of view as long as the request does not contain malicious content. When requests need to be authorized, they authenticate themselves correctly with a strong authentication mechanism, that is all you can do.
This was first published in May 2006