Q

Distinguishing a faked XMLHTTP request from a real one

When verifying XMLHTTP requests, don't depend on your Web application to determine the difference between real and fake. Web services security expert Rami Jaamour explains the importance of authorizing requests.

How can one make sure an Ajax-enabled Web application is able to tell the difference between a real and a faked XMLHTTP request?
If the Ajax application is stateful, then the same session or an authentication token is used to authorize the request. However, even in that case you should not trust these requests. Employ proper data validation on the incoming messages. A malicious user could still use his or her valid session or authorization credentials to send malicious values. If the application is stateless, no sessions or authorization tokens were obtained, then there is no secure way to tell the difference.

Ajax security resources:
Ajax application security critical, experts warn

Ajax's effect on Web services security

How to safely deploy Ajax
In both cases all incoming parameters should be stripped from malicious content, such as characters that could be used in injection attacks. Lengths should be constrained and values should be verified against valid patterns. For example, a phone number parameter is validated on the server side to include only phone number digits and allowable characters, and to fall within a certain length range.

You should not rely on distinguishing between real and unreal XMLHTTP (XHR) requests. Do not trust any requests regardless of their origin. The origin does not matter from a security point of view as long as the request does not contain malicious content. When requests need to be authorized, they authenticate themselves correctly with a strong authentication mechanism, that is all you can do.
This was first published in May 2006

Dig deeper on Software Security Test Best Practices

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSOA

TheServerSide

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

Close