Ask the Expert

Distinguishing a faked XMLHTTP request from a real one

How can one make sure an Ajax-enabled Web application is able to tell the difference between a real and a faked XMLHTTP request?

Requires Free Membership to View

If the Ajax application is stateful, then the same session or an authentication token is used to authorize the request. However, even in that case you should not trust these requests. Employ proper data validation on the incoming messages. A malicious user could still use his or her valid session or authorization credentials to send malicious values. If the application is stateless, no sessions or authorization tokens were obtained, then there is no secure way to tell the difference.

Ajax security resources:
Ajax application security critical, experts warn

Ajax's effect on Web services security

How to safely deploy Ajax
In both cases all incoming parameters should be stripped from malicious content, such as characters that could be used in injection attacks. Lengths should be constrained and values should be verified against valid patterns. For example, a phone number parameter is validated on the server side to include only phone number digits and allowable characters, and to fall within a certain length range.

You should not rely on distinguishing between real and unreal XMLHTTP (XHR) requests. Do not trust any requests regardless of their origin. The origin does not matter from a security point of view as long as the request does not contain malicious content. When requests need to be authorized, they authenticate themselves correctly with a strong authentication mechanism, that is all you can do.

This was first published in May 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: