Highest Voted 'ajax' Questions - IT Security Stack Exchange

8

votes

2 answers

Is one CSRF token per session is adequate with HTTPS?

Ours is a Ajax heavy application with concurrent Ajax requests. Generating unique tokens with each request or expire and creation of new tokens after a certain interval could get tricky with multiple concurrent Ajax requests. My question comes from…

tls csrf ajax

asked Jan 03 '13 at 07:14

johnbabu koppolu

183
1
5

8

votes

2 answers

CSRF protection for AJAX when using multiple browser tabs

Say I've got that web application that has a CSRF protection according to the Synchronizer Token Pattern. The server expects a valid CSRF token in each POST request when the user is authenticated. Now imagine the following scenario: The user opens…

csrf ajax

asked Nov 12 '12 at 08:04

eckes

438
1
4
13

8

votes

1 answer

Alternative to anti-CSRF tokens for AJAX request (Same Origin Policy)

I'm working on a PHP website based entirely on AJAX (via jQuery). It's a single page in which all requests are made by AJAX. Related to the protection against CSRF I have encountered the problem of having to manually include the token on every…

csrf ajax same-origin-policy

asked Dec 11 '15 at 23:13

cooper

183
1
4

7

votes

3 answers

Secure jquery ajax calls from a non secure page

I could not find a clear answer, but if I have the following situation: I browse to a page let's say http://www.example.com/index.html Now I use a form on this page to do a postback with jquery's ajax functions to the following…

tls javascript ajax

asked Jul 02 '11 at 20:44

Roger Far

233
2
3
8

7

votes

1 answer

Access to other local files from a local HTML file

I tried this question on programmers site with no luck Do you see any reason to block a local html file from accessing another local files located in the same folder? I mean, if a user downloaded an html app (consisting of several html files) and…

appsec web-browser javascript ajax

asked May 11 '11 at 20:32

Vanuan

218
1
6

7

votes

3 answers

Ajax and CSRF protection

Without going into too much details I have a site which is 100% Ajax. All requests to the site (both GET and POST) are done via Ajax. Now I have to implement CSRF protection, and all the solutions I came across boil down to sending a CSRF token in…

csrf ajax

asked Sep 16 '12 at 03:08

Dave

73
1
3

6

votes

2 answers

Securing passwords for REST Authentication

I'm developing a REST application using the Spring Framework, as as part of the requirements, we have to secure the different functions of the system to different user roles (pretty standard stuff). My current method of determining the roles for the…

passwords hash rest ajax

asked Apr 14 '14 at 07:19

JamesENL

163
1
2
8

6

votes

3 answers

How can I control the content of the HTTP HOST header in requests issued from my website?

Is anyone familiar with a way in which I can post a link on my website, that when accessed will cause users to issue an HTTP request to a 3rd party site with custom content in the HOST header (different from the actual host/domain to which the…

http xss ajax

asked Dec 09 '13 at 13:27

user3074662

541
2
6
11

6

votes

4 answers

How to stop other websites from sending cross domain AJAX requests?

From two different applications, I was able to send cross-origin requests. Though the browser returns a "cross origin" error my server is still receiving and executing the request. For example, from a remote site I can invoke cross domain request…

javascript asp.net ajax

asked Oct 24 '13 at 18:19

user960567

2,461
4
16
16

6

votes

4 answers

Protecting against CSRF when a form is being submitted via an AJAX call

I'm using anti-CSRF tokens on all my forms to prevent CSRF attacks. Also, the tokens are being saved in the $_COOKIE variable to validate against the value I get from the form. I'm resetting the token each time a form is loaded. But there are a few…

web-application appsec php csrf ajax

asked Sep 10 '12 at 20:59

Gaurav Sharma

161
1
5

6

votes

2 answers

Is an AJAX call less secure than the normal POST method?

I currently have a standard login form like this:

6

votes

2 answers

Security drawbacks for using short-lived access token in javascript client side

I intend to build a front end site entirely in javascript (NodeJS) and i would like to do ajax calls to a REST WS which is on another domain on client side. I intend to use oauth2 and SSL to secure my REST back end, perform the access token asking…

oauth ajax rest

asked Apr 09 '12 at 21:45

rico

361
3
8

6

votes

1 answer

Is this jQuery ajax call vulnerable to XSS?

If somebody can edit $("#field").val(), can they change the url property here to point to another location? $.ajax({ url: "http://mywebsite/script?param=" + $("#field").val(), dataType: "jsonp", success: function(response) { …

php javascript xss ajax

asked Jan 19 '12 at 12:58

Kevin

71
1
1
4

5

votes

3 answers

What purpose does Access-Control-Allow-Origin have?

I have a misunderstanding regarding CORS' Access-Control-Allow-Origin header. It's name says "allow" from which I understand that if I make a request from an "Origin" that is not allowed the request should fail. But I can always change /etc/hosts…

http ajax same-origin-policy

asked Apr 14 '16 at 15:07

pepe

53
1
4

5

votes

2 answers

Is same origin policy for web only useful because of cookies?

There is a same origin policy in the browser to ensure that e.g. bad site won't read your data from Facebook. But it seems that the only problem that it tries to solve is that cookies are automatically sent with the request which authenticates the…

web-application web-browser cookies ajax same-origin-policy

asked Feb 02 '16 at 14:36

Ilya Chernomordik

2,197
1
21
36

Prev 1

2

3

…

8 9 Next

Questions tagged [ajax]