7

I could not find a clear answer, but if I have the following situation: I browse to a page let's say http://www.example.com/index.html

Now I use a form on this page to do a postback with jquery's ajax functions to the following URL: https://www.example.com/login.aspx (aspx could be anything, mvc, webforms, php, ruby etc).

Is this safe or not? I realize that not the whole session is secure.

Or is this safe, but will browsers complain about it? Will it be safer to use a entirely different domain? https://www.example.org/login.aspx

Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
Roger Far
  • 233
  • 2
  • 3
  • 8
  • We can probably guess, but you should be clearer about what you mean by "safe". Safety is a very open-ended property that depends on what you plan to do with the postback, what assets you're trying to protect, what the threats are, what you are vulnerable to, etc. See the [faq]. – nealmcb Jul 03 '11 at 16:23
  • This is a duplicate, however since the question is a bit vague I'm not sure which you meant: It's either http://security.stackexchange.com/questions/258/what-are-the-pros-and-cons-of-site-wide-ssl-https-or-on-login-page-only or is it http://security.stackexchange.com/questions/2486/is-ajax-fundamentally-insecure – AviD Jul 04 '11 at 23:47
  • Neither really... It's about if a insecured page can make secure ajax calls. – Roger Far Jul 05 '11 at 18:34

3 Answers3

9

No, it is not secure and using another domain will not help.

An attacker can manipulate the html/javascript code on the http-page to change the destination of the ajax call to his own server. Or even better, add a second call.

Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
5

Once your browser visits the domain www.example.com and downloads index.html to your browser the entire html is stored on your computer. Since anything stored on the client side can be tampered with this is considered unsafe and you can not trust the data the client is returning from the script supposedly www.example.com served to the user.

This means that login.aspx has to treat every bit of data being sent in as dirty data and clean it up.

Changing domain doesn't do much, and the browser wont complain about javascript is triggering a form on a different domain.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Chris Dale
  • 16,119
  • 10
  • 56
  • 97
1

Attacks like 'SSL-Stripping' are a clear example of how such approaches could be exploited. This is a vulnerable design.

A plain python-based tool by Moxie to exploit such design: http://www.thoughtcrime.org/software/sslstrip/index.html

AbhishekKr
  • 563
  • 3
  • 4