Member Avatar

Hi all, I've been using ajax for a while and I've been storing my trivial php include files in the public directory tree. Then I thought, I really should be putting my classes and includes above the public document root (as I used to do before I started dabbling with ajax).

I know js can't access anything above document root, but a php file called by ajax js could. That just seems like a fudge to me (?).

I suppose the php file being called by ajax HAS to be within doc root otherwise it couldn't work. Seeing as headers can be spoofed, it's almost impossible to protect against remote-site calling of these php files. Can't help thinking of some sort of session variable...

Has anybody out there any experience of this? How did you overcome it? Or am I missing something here?

I think you'll have to do some kind of shared token exchange. I have been working on it, but due to lack of time it isn't finished yet.

Basically, using a timestamp and a shared and private key, you can authenticate your request. This of course has to be generated before the output of your page (in PHP), because again, Javascript only is not secure enough for it.

In addition, you can restrict use of the private key to a session (they have to be logged in to your site) and/or an IP address.

commented: useful info, as always +14
Member Avatar

Thanks pritaeas - I've been thinking along the lines of keys/tokens, but haven't got the knowledge to implement it (yet!). You've given me a bit to think about :)

I still want to build this, so should I get it working anytime soon, I'll let you know. If you get enlightened, please let me know.

Member Avatar

Nice one, I'll try to work on something my end as well. I'm working on a hub idea as the mo:

all ajax calls go to one hub file with a post parameter -> include appropriate above root file. If I can just secure the hub...(your idea sounds good for this)

Will leave this thread open for now as I'll probably come back to it with any progress.

Member Avatar

Found a great open source site scanner here:

It seems my techniques weren't as sound as I thought. 6 shell injection possibilities!

Looks like it's back to the drawing board for a few routines. :)

Oooo... the tempatation to run it against something that's not mine...

commented: Excellent tool. Am sure this will bring some new nightmares. +14

Addition: I forgot I have the "RESTful PHP Web Services" eBook from Packt. One of the frameworks mentioned in it, which is looking promising is WSO2/WSF. Other ones mentioned are dbScript, Konstrukt, Madeam, Tonic and Zend.

Member Avatar

Ha ha ha - my nose just exploded over the screen! Had a look at it and decided my current level of understanding falls well below that required to make any sense of it. :(

I went here and found some stuff that my *simple* brain could cope with.

What do you reckon? Will this work with a standard ajax call?

Basically yes, although instead of random I'd use a token encrypted with a private key, so it can change between requests, and can be verified. Don't forget to include a timeout for each token, makes hijacking more tedious.

But that depends on whether you think you need it.

Member Avatar

But that depends on whether you think you need it.

That's the thing.

I'm just using a standard jQuery .post or .ajax call to an include file with post parameters for updating/inseting to MySQL and using json for the response.

I've been getting warnings (Vega) saying that the file directory is being disclosed (as in

url: includes/ajaxcall.php;

The calls are the result of link / button clicks so I assume that passing a token stored in a html element on the page or even placed into a js variable could then be checked in the ajaxcall.php file, if it's based on the session id with and I use a timeout value.

I'm slowly getting my head around this...