[e_i_pi]

I utilise jQuery as well as custom functions when designing my site. There is also a lot of AJAX usage throughout my site. Now, a user can simply find the names of my functions and execute them in the address bar by typing something like:

javascript:myFunction('hack');void(0);

Given that the Javascript functions I'm most concerned about are AJAX calls, is there any way to determine server-side whether the Javascript function call was made via the address bar (ie: possibly malicious) or legitimately by code? If not, are there any strategic workarounds?

[Dormilich]

no. HTTP does not care about the origin of the request.

[forest51690]

Yes, your Javascript can be manipulated by UserScripts and even replicated to mimic your AJAX calls. So that means you shouldn't trust in it for site security.

[init.d.httpd]

No you cant tell that...but make sure you are sanitizing any variables passed to your server side script via ajax also you can minify your completed javascript. This will at least keep the script kiddies away.

http://plugins.jquer..._and_Compressor

This post has been edited by init.d.httpd: 08 February 2011 - 12:27 PM

[e_i_pi]

Alright, thanks guys, as I suspected. I have been utilising <select> lists in various areas without sanitising those variables (as they are locked to selectable options) but given that even AJAX requests can be mimicked, then I'll whip up a validation function in PHP to cover it.

[Dormilich]

e_i_pi, on 09 February 2011 - 03:18 AM, said:

then I'll whip up a validation function in PHP to cover it.

filter_var()

[e_i_pi]

Dormilich, on 09 February 2011 - 12:14 AM, said:

e_i_pi, on 09 February 2011 - 03:18 AM, said:

then I'll whip up a validation function in PHP to cover it.

filter_var()

Hmm nice, I'll look into incorporating that. I've already written the custom validator function (which could be streamlined with that function), but some of the variables need to be validated using in_array(). Thanks for the follow-up