Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with OpenID
Advertise on LowEndTalk.com

In this Discussion

Best Way to Hide URL in $.ajax - Secure your Webpage

Best Way to Hide URL in $.ajax - Secure your Webpage

fresher_06fresher_06 Member
edited August 2012 in General

Hey Everybody..

I are working on my website where I am using lots of $.ajax in jquery .. but the url section of it my link on which the POST request is going is visible.Something like below

$.ajax({ type: "POST", url: "update_cust_results.php", data: dataString,

Any suggestions .. how to hide this "update_cust_results.php" url .. In my update_cust_results.php page ,i have given that if that only go further if the user is logged in .. but thats just a basic security measure .. any other good security mechanism from the gurus :)

Comments

  • krokro Member

    Check login. No way to hide unless you post to page and load .php with require_once()

  • krokro Member

    Go.php?do=something

    //Go.php If match load file etc

    (on phone) doesnt really hide anything just more confusing I guess

  • krokro Member

    even javascript encode isnt usefull. But more confusing again

  • @fresher_06 said: how to hide this "update_cust_results.php" url .. In my update_cust_results.php page ,i have given that if that only go further if the user is logged in .. but thats just a basic security measure ..

    Hiding URL has never been a security measure (even a basic one). You can authenticate requests being sent to an URL though.

    Anyone with firebug plugin can track the ajax request URL.

    Thanked by 1Randy
  • gsrdgrdghdgsrdgrdghd Member without signature

    @fresher_06 why exactly do you want to "hide" the URL?

    Thanked by 1Randy
  • You need to add security to your PHP file. AJAX passes session data, so do user permissions checking, CSRF protection, blah blah. AJAX isn't going to magically protect you if you can hide the filename somehow.

  • vedranvedran Moderator

    No. Whatever you're doing stop now!

    Just fix update_cust_results.php

  • @vedran .. what all security measures i can put in "update_cust_results.php".. at least the few generic ones .. I have the basic user authentication stuff .. but thats all i have right now ..any more suggestions..

  • Use a form request token that's generated on every page load and stored in the user's session. Send the token in post data. Make sure the posted token matches the session token.

    Thanked by 1klikli
  • not possible to hide specially when you have firebug turned on

  • Like others have said trying to hide things isn't going to work. It's trivial to use a proxy tool like Fiddler to watch all the traffic.

    Do good authentication and then your best protection is usually handing random string tokens back and forth. When you page loads include a random string token that is sent to update_cust_results.php. On the server side make sure the proper token is sent. If not reject it.

    A great resource is at owasp.org. The technique I described above is covered under CSRF or cross site request forgery. Go and read that site and it's a good start fro writing secure code.

Sign In or Register to comment.