Think of a question: code there is no need to make an AJAX request to judge

Source: Internet
Author: User
Tags csrf attack
Think of a problem: code there is no need to do Ajax request judgment
Ajax has never been done before whether it is the judgment of the AJAX request.
A new colleague said he had to make a judgment before he noticed this.
I checked a lot of sites like Youku
None of them did the Ajax-acquired judgment.
Is it necessary to make this judgment?
Ajax ? PHP


------Solution--------------------
It's best to do it. The return data requirements for the general Ajax request are higher
------Solution--------------------
Reference :
reference: Best to do, general Ajax request the return data requirements are higher
I think I did the best.
It is no harm not to do so, previously thought that the result of the request is to be presented.

Why do sites like Youku not make this restriction?

Thank you, moderator, Big Brother's answer


What to look at, such as your website supports the ability to publish a message, and this is an AJAX request, and the Get method to pass the parameter. For example: Msg.php?content=test.

So if you do not make the Ajax judgment, at the same time your site is a very fire site (such as Weibo, etc.), then I can malicious attack, under my site to insert an IFRAME, and this iframe point is msg.php?content= I was attacked, So once you visit my site, in case you don't know, in fact your Weibo has updated a message "I was attacked", which is the most common and simplest csrf attack.

Some serious attack infiltration into the banking process, so look at your needs, Ajax I suggest or do judge it, at least also to refer judge it ~
Now some sites this vulnerability is still very serious, two weeks ago I also found a known domestic large web site of this vulnerability, as long as I posted a post in the forum said everyone to see (that address is my own test server URL), then this site will automatically increase the number of votes, Many people do not know how to help me to vote ...

Really suggest, make a judgment ~
------Solution--------------------
The key to the demand, the process is to receive a request, return a result
It is not necessary to judge at this level if a reasonable request is foreseeable (the unreasonable situation has been dealt with at other levels).
If it is not foreseeable whether it is reasonable, then even if not Ajax to make a variety of judgments
For example, form submission, although client-side JavaScript makes a judgment, but still cannot determine whether malicious commit

If the return is for a specific request, such as an API, then you must check the
As for attacks, isn't Ajax a precaution?

Remember a principle: easy to enter difficult to out

  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.