AJAX security

handgestrickt was curious about the question how secure AJAX is. so we wrote some scripts that tried to access data on foreign hosts and fake the referrer (the HTTP 1.1 RFC 2616 specification misspelled this word "Referer"). the result is great and makes us feel much better with AJAX. all the new browsers do not allow manipulating the "Referer" and do not allow accessing foreign hosts. we tested Firefox 2, Opera 9 and Internet Explorer 7 and used Prototype.js. additionally we checked whether Prototype.js denies setting the "Referer" and it definitely does not.

in the following code, we used some PHP-page that just outputs phpinfo(). we accessed this page with AJAX and a fake "Referer". try this at home if you like:

<html>
<head>
 <title>refspoof-JS</title>
 <script src="js/prototype.js" language="JavaScript" type="text/javascript"></script>
 <script language="JavaScript">
var refspoof = {
        test: function() {
                new Ajax.Request('phpinfo.php', {
                        method: 'get',
                        asynchronous: true,
                        requestHeaders: {
                                Referer: 'http://some_fake_referrer'
                        },
                        onComplete: function(transport) {
                                $('result').innerHTML = transport.responseText;
                        }
                });
        }
}
 <script>
</head>
<body onload="refspoof.test();">
<div id="result"></div>
</body>

Sunday, 11. March 2007 • trackback url

Add Comment

( to reply to a comment, click the reply link next to the comment )

Comment Title:
Your Name:
Email Address:
Make Public?
Website:
Make Public?

Comment:


Allowed XHTML tags : a, b, i, strong, code, acrynom, blockquote, abbr. Linebreaks will be converted automatically.


Captcha:

captcha image

Soundfile:

Link to a spoken Soundfile of the Captcha

please type the content of the above image or the soundfile into the following form-field: