Home
Topics
Software Security Testing and Quality Assurance
Software Security Test Best Practices
Distinguishing a faked XMLHTTP request from a real one

Distinguishing a faked XMLHTTP request from a real one

How can one make sure an Ajax-enabled Web application is able to tell the difference between a real and a faked XMLHTTP request?

Requires Free Membership to View

Login

By submitting you agree to receive email communications from
TechTarget and its partners. Privacy Policy Terms of Use.

If the Ajax application is stateful, then the same session or an authentication token is used to authorize the request. However, even in that case you should not trust these requests. Employ proper data validation on the incoming messages. A malicious user could still use his or her valid session or authorization credentials to send malicious values. If the application is stateless, no sessions or authorization tokens were obtained, then there is no secure way to tell the difference.

Ajax security resources:

Ajax application security critical, experts warn

Ajax's effect on Web services security

How to safely deploy Ajax

In both cases all incoming parameters should be stripped from malicious content, such as characters that could be used in injection attacks. Lengths should be constrained and values should be verified against valid patterns. For example, a phone number parameter is validated on the server side to include only phone number digits and allowable characters, and to fall within a certain length range.

You should not rely on distinguishing between real and unreal XMLHTTP (XHR) requests. Do not trust any requests regardless of their origin. The origin does not matter from a security point of view as long as the request does not contain malicious content. When requests need to be authorized, they authenticate themselves correctly with a strong authentication mechanism, that is all you can do.

More News and Tutorials

Articles

Related glossary terms

Terms for Whatis.com - the technology online dictionary

This was first published in May 2006

Join the conversationComment

Share

Comments

Results

Contribute to the conversation

All fields are required. Comments will appear at the bottom of the article.

Back to top

More from Related TechTarget Sites

SOA
Java
Windows Development
Oracle
Cloud computing
Business Analytics

SOA
- Architects can meet mobile user needs by altering mindset
  
  Smartphones, tablets and desktop computers don't just differ in screen size; they are different form factors.
- Tools and practices to create a meaningful SOA ALM process
  
  To create a meaningful SOA ALM process, architects have to remember modern apps are increasingly using components.
- Inside the world of Web APIs, the cloud and mobile technology
  
  Rob Daigneau offers his expert insights on the convergence of the cloud, mobile technology and Web APIs.
Java
- JSR-286 development tutorial: Mastering request-response programming
  
  This portlet programming tutorial shows how the PortletRequest and Portlet Response are used when developing JSR-286, request-response based apps.
- JSR-286 development tutorial: An introduction to portlet programming
  
  This portlet programming tutorial is an introduction to developing JSR-286 applications that can be deployed to any standards-based portal server.
- Mastering Tomcat: Installation, configuration, logging and optimization
  
  To master the Apache Tomcat server, administrators and developers need to be familiar with installation, configuration, logging and performance optimization
Windows Development
- Native versus JavaScript/HTML5 development for Window 8 apps
  
  Learn the advantages and disadvantages in using HTML5/JavaScript for deployment.
- Technology Priorities for 2012
  
  Each year TechTarget surveys thousands of IT professionals around the world on their company’s forecasts for the coming year. As IT budgets continue through the strain of trying to align themselves with businesses trying to recover from the global recession, the direction of IT’s newest technologies may surprise you.
- Where can I find Visual Basic 6.0 DataEnvironment code samples?
  
  Get information on the best places to find Visual Basic DataEnvironment 6.0 code samples.
Oracle
- Domain-specific Oracle master data management
  
  Oracle master data management products are starting to merge various data management hubs, which is a help in particular vertical industries.
- Privileged user management a must for DBAs
  
  Trust, but verify. Ronald Reagan made it popular, and it's certainly relevant for DBAs in today's consolidated, virtualized IT world.
- John Webb: Why the new PeopleSoft applications are big news
  
  Lena Weiner-Bishop catches up with Oracle's vice president of PeopleSoft strategy, who explains the excitement around new PeopleSoft applications.
Cloud computing
- Google Compute Engine prices on par with AWS -- for now
  
  Conventional wisdom has Google and AWS locked in the Price War of the Titans with the launch of GCE, but a deeper look reveals a different truth.
- Limiting the effects of cloud computing outages
  
  After making the case for cloud based on high availability, IT pros are upset by cloud outages. With planning, there are ways to craft a strategy.
- Amazon Redshift an appealing alternative to on-premises data warehouse
  
  Amazon Redshift has intriguing pricing and features, but beware of its differences from a traditional, on-premises data warehouse.
Business Analytics
- Marketing and advertising remain sweet spots for big data technology
  
  Marketing and advertising are the sweet spots for big data, but those who serve up marketing insights and ad space will need to evolve to survive.
- Strategies for de-cluttering business intelligence dashboard designs
  
  Expert Brian Jordan shows business intelligence managers how to avoid developing dashboards that overwhelm business users with too much information.
- Making mobile BI applications a reality: Key steps to take
  
  In a podcast, BI expert William McKnight discusses best practices and action items for managing deployments of mobile business intelligence tools.

All Rights Reserved,Copyright 2006 - 2013, TechTarget