[jQuery] Re: AJAX Security
Fabien Meghazi schrieb: 1. Non AJAX User need to select a username, fill in the captcha, and submit the form => no automation possible as need to fill in the captcahe You can validate Captchas via ajax... Exactly, this is where I would like to go ;-) Just include captchas in your api. I'm working on it: http://dev.jquery.com/view/trunk/plugins/validate/demo-test/captcha/index.php (currently rather broken). Jörn
[jQuery] Re: AJAX Security
On 11月23日, 下午4時06分, Jörn Zaefferer <[EMAIL PROTECTED]> wrote: > howa schrieb: > > > On 11月22日, 下午7時15分, "Fabien Meghazi" <[EMAIL PROTECTED]> wrote: > > >>> In non AJAX apps, automatic checking can be prevented using Captcha in > >>> the registration page. > > >> As you could do with an AJAX application, I don't understand what > >> would prevent you to do so. > >> What main difference do you see between a GET or POST made by the > >> browser when submitting a plain old form and a GET or POST made using > >> XMLHttpRequest ? > > > Hello, let consider a simple membership registration page > > > 1. Non AJAX > > > User need to select a username, fill in the captcha, and submit the > > form => no automation possible as need to fill in the captcahe > > You can validate Captchas via ajax... > Sure, but it oppose the original idea why you want to use AJAX for user to choose the username easily, well, this in fact related to doing Turing test on AJAX or RIA for max. usability.
[jQuery] Re: AJAX Security
> > 1. Non AJAX > > > > User need to select a username, fill in the captcha, and submit the > > form => no automation possible as need to fill in the captcahe > > > You can validate Captchas via ajax... Exactly, this is where I would like to go ;-) Just include captchas in your api. -- Fabien Meghazi Website: http://www.amigrave.com Email: [EMAIL PROTECTED] IM: [EMAIL PROTECTED]
[jQuery] Re: AJAX Security
howa schrieb: On 11月22日, 下午7時15分, "Fabien Meghazi" <[EMAIL PROTECTED]> wrote: In non AJAX apps, automatic checking can be prevented using Captcha in the registration page. As you could do with an AJAX application, I don't understand what would prevent you to do so. What main difference do you see between a GET or POST made by the browser when submitting a plain old form and a GET or POST made using XMLHttpRequest ? Hello, let consider a simple membership registration page 1. Non AJAX User need to select a username, fill in the captcha, and submit the form => no automation possible as need to fill in the captcahe You can validate Captchas via ajax... Jörn
[jQuery] Re: AJAX Security
On 11月22日, 下午7時15分, "Fabien Meghazi" <[EMAIL PROTECTED]> wrote: > > In non AJAX apps, automatic checking can be prevented using Captcha in > > the registration page. > > As you could do with an AJAX application, I don't understand what > would prevent you to do so. > What main difference do you see between a GET or POST made by the > browser when submitting a plain old form and a GET or POST made using > XMLHttpRequest ? Hello, let consider a simple membership registration page 1. Non AJAX User need to select a username, fill in the captcha, and submit the form => no automation possible as need to fill in the captcahe 2. AJAX User can select the username via AJAX API, where the possible automation came in
[jQuery] Re: AJAX Security
> In non AJAX apps, automatic checking can be prevented using Captcha in > the registration page. As you could do with an AJAX application, I don't understand what would prevent you to do so. What main difference do you see between a GET or POST made by the browser when submitting a plain old form and a GET or POST made using XMLHttpRequest ? What would be more secure with a plain old form ? Maybe I didn't understood what you meant (my english is not so good). I think the real security issue to care of is what your server side logic does returns in case of an Ajax context and how your ajax client side scripts handle the returned data. But with Xss exploits knowledge in mind you should be able to put away those concerns. > For example, in Yahoo, guess how they are checking? > https://edit.yahoo.com/membership/json?PartnerName=yahoo_default&RequestVersion=1&AccountID=johndoe&GivenName=&FamilyName=&ApiName=ValidateFields&1763407 Yes this is a bad method, but you're not forced to do something bad. -- Fabien Meghazi Website: http://www.amigrave.com Email: [EMAIL PROTECTED] IM: [EMAIL PROTECTED]
[jQuery] Re: AJAX Security
Hi, look at this and maybe you will be happy: http://15daysofjquery.com/examples/contact-forms/ On 21 Ноем, 04:42, howa <[EMAIL PROTECTED]> wrote: > On 11月21日, 上午6時34分, "Fabien Meghazi" <[EMAIL PROTECTED]> wrote: > > > > With a blank or mismatched referrer, the script will always return a > > > username as unavailable. > > > > Unfortunately the referrer is easily spoofed, so I'm not sure how > > > effective > > > this will be. > > > And just because it can be easily spoofed then you should not use referer. > > Yes, I agreed using referrer is not a reliable method. > > > Please explain the difference between your worries about an ajax > > application and a non-ajax application. > > In non AJAX apps, automatic checking can be prevented using Captcha in > the registration page. > > For example, in Yahoo, guess how they are checking? > > e.g. > > https://edit.yahoo.com/membership/json?PartnerName=yahoo_default&Requ... > > Howard
[jQuery] Re: AJAX Security
On 11月21日, 上午6時34分, "Fabien Meghazi" <[EMAIL PROTECTED]> wrote: > > With a blank or mismatched referrer, the script will always return a > > username as unavailable. > > > Unfortunately the referrer is easily spoofed, so I'm not sure how effective > > this will be. > > And just because it can be easily spoofed then you should not use referer. > Yes, I agreed using referrer is not a reliable method. > Please explain the difference between your worries about an ajax > application and a non-ajax application. > In non AJAX apps, automatic checking can be prevented using Captcha in the registration page. For example, in Yahoo, guess how they are checking? e.g. https://edit.yahoo.com/membership/json?PartnerName=yahoo_default&RequestVersion=1&AccountID=johndoe&GivenName=&FamilyName=&ApiName=ValidateFields&1763407 Howard
[jQuery] Re: AJAX Security
> With a blank or mismatched referrer, the script will always return a > username as unavailable. > > Unfortunately the referrer is easily spoofed, so I'm not sure how effective > this will be. And just because it can be easily spoofed then you should not use referer. Please explain the difference between your worries about an ajax application and a non-ajax application. -- Fabien Meghazi Website: http://www.amigrave.com Email: [EMAIL PROTECTED] IM: [EMAIL PROTECTED]
[jQuery] Re: AJAX Security
I'm about to add this functionality to my user registration page, so I'm wondering the same. The protection I have at the moment is pretty basic I check the HTTP referrer to make sure the AJAX call is coming from my registration page. With a blank or mismatched referrer, the script will always return a username as unavailable. Unfortunately the referrer is easily spoofed, so I'm not sure how effective this will be. -- From: "howa" <[EMAIL PROTECTED]> Sent: Tuesday, November 20, 2007 1:25 PM To: "jQuery (English)" Subject: [jQuery] AJAX Security Well, this is not JQuery related, but I want to know the current best practices in AJAX developments... In an AJAX apps, such as user registration, we might have a API for user to check if their desired user name has been taken by another user. If we expose this API using AJAX, then it might become very easy for other people to automate a computerized bot to query our system. Are there any plattern(?) to provide some kind of security to the apps such that bot can be prevented? Thanks.