Can an Ajax call be manipulated to instruct the server to delete data it was not intended to?
I'm using a jQuery dialog to ask the user if he really wants to delete the record (user is logged in).
If yes, I fetch the record's ID and run jQuery.ajax.
My questions are:
- Can a user execute a jquery without interacting with the screen?
- Can user, through some "hack ware", pass on any
record_id
thus deleting a record that he's not supposed to delete?
Here's my code:
function initDeleteRecord() {
var options = {
title: "Delete record",
modal: true,
buttons: {
"Ok": function() {
var record_id = jQuery('#recordID').val(); // <-- Can this be manipulated?
deleteRecord(record_id);
},
"Cancel": function() {
jQuery(this).dialog("close");
}
}
};
jQuery('#dialog').dialog(options);
jQuery('#dialog').dialog("open");
}
function deleteStore(store_id) {
jQuery.ajax({
url: siteURL +"/jquery.php",
data: {开发者_如何学Goinstance: 'deleteRecord', record_id : record_id},
success: (function(data) {
jQuery('#dialog').dialog("close");
window.location(siteURL);
}),
dataType: 'json'
});
}
Yes and Yes. A user can execute any jQuery code, for example using Opera Dragonfly or Firebug for Firefox.
And a user can always use his own implementation of a "browser". Never ever trust the data coming to you. Always perform checks server side (again). Client side checks are only good to increase comfort if the user accidentally entered incorrect data.
1) Sure, it's trivial to extract the url from a chunk of javascript and invoke the web service directly. It's impossible to guarantee 100% of the time that script x.php
was invoked by a piece of javascript executing in a particular page. As far as the PHP script is concerned, a POSt done by an AJAX call is the same as a POST done in a form on a completely different page or server.
2) Easily. Consider someone putting a simple .html page on their own local computer with a form in it:
<form method="post" action="http://yourserver.com/jquery.php">
<input type="hidden" name="instance" value="deleteRecord" />
<input type="text" name="record_id" />
<input type="submit"
</form>
this will have exactly the same effect as your jquery ajax call.
Ad 1: Yes he can execute Javascript as he sees fit.
Ad 2: Yes he sure can (e.g. with Tamper). Never validate anything on the client side, always on the server side. If a user may only delete certain ids, you have to make sure on the server side that the authentified user (via sessioning or whatever) has the rights to do so prior to executing your SQL.
1) Yes. A user can execute any snippet of JavaScript, including your jQuery functions, within his own browser without interacting with the page elements themselves.
2) Yes. The value of the #recordID element can be manipulated to be whatever value the user desires. Alternatively, the user could simply call deleteStore() directly with any record ID.
There are some pretty serious security concerns here. jQuery (and JavaScript in general) are not going to be able to control your users' permissions in this way. You would need to keep track of the logged in user and his permissions on the server (through sessions or something similar) and only delete rows that the user would have permission to delete.
精彩评论