Passing ID values with ajax in a secure way - javascript

Imagine that I have a site where users' profile page has an address like below:
http://www.example.com/profile.php?p=123
Now I want to go to this profile and block (or another operation) this user when I click a button. I need to send the id of this user (123 in this case) to server with AJAX, and my question is, how can I send this id value to php server securely? (Currently I parse url parameters into a JSON object and pass them to server, but I don't know how secure this is.)

What you are probably looking for is RSA encryption. You generate a key for your server to use which has a public version and a private version. Your javascript will contain the public version which can be used to encrypt the data, and your php will use the private version to decrypt the data.
As a jumping off point, you can start here for javascript public/private key examples: http://shop-js.sourceforge.net/crypto2.htm
And here for the PHP side: http://www.webtatic.com/blog/2009/07/php-public-key-cryptography/

Related

How can I encrypt and decrypt query my query parameters in a URL?

In my system I'm generating URLs with query params that represent IDs. I want to encrypt these IDs so that they are not plainly manipulated in the URL. These will be public facing URLs and I don't want users to be able to manipulate the URL and be able to get other users' data, so I want to encrypt these IDs.
I'll be encrypting the IDs within a Java application and then decrypting them in a Javascript app. Is there some common encryption algorithm I can use in both places? Are there libraries available that would do this sort of thing in Java and Javascript?
I realize both my application will need access to a common "password" or decryption key, I will store this in a keystore location that both apps will have access to.
IMO you should generate a public/private key by your own then (OpenSSL, Java keytool...).
Using javascript to encrypt your data with the public key
https://code.google.com/archive/p/crypto-js/downloads
https://nodejs.org/api/crypto.html
On Server-side - Java, you can use the private key to decrypt your data to execute your business behaviour. There are many examples/library to decrypt by the private key such as
https://www.devglan.com/java8/rsa-encryption-decryption-java
https://gist.github.com/fanglijun/a0d1218c9ef0b0670904e62778f6ed12
You're should read how the RSA algorithm to understand more how it works.
Basically you need to encrypt data by your public key (front end part) and decrypt (backend part)by your private key that it.
Not recommend:
If you're still wanna decrypt on front-end side via javascript, mean that you have to public your private key where javascript can read to decrypt. Technically is fine but It may have a security issue
Another solution:
You can encrypt your data like (Id, secret_data.....) into an encrypted string then send that string as a parameter of an URL (generate at server-side)
When end-user clicks that URL you will decrypt parameter by private key (server-side) to get actual data (Id, secret_data...)
Unless your values actually need to be secret use an HMAC. This way you can authenticate that url provided has not been tampered with without actually having to share keys or require that the client decrypt data on its own.
Simply generate an hmac for your desired critical values and append the value to the url. When they user accesses the specific path, read the url and compare it to the hmac.
url = 'http://my.site/users/123
signature = hmac(secret_key, url);
signed_url = url.addQueryValue('s', signature);
on the way in, look at the signature and validate it matches the regenerated hmac.
Other things you can do is append claims to the signature such as expiry ect. Claims can be used to track access, as well as revoke access to a url after some time.

Add new object to json using javascript

I have a json file with user information (login and password). How to add a new object to Json using js? (so that after loading the page it would be saved in Json) Is it possible at all? Nowhere can I find the answer. I can use only (javascript, jQuery, json)
json
{
"users":[
{
"login":"admin",
"password":"1207"
}
]
}
js
$(function() {
const getOb=$.getJSON('user.json');
var obj = JSON.parse(getOb);
obj['users'].push({"login":"Donald","password":"78"});
getOb = JSON.stringify(obj);
});
You are fetching data over HTTP.
If you want to save it back to the server, then you need to make an HTTP request to the server (typically a PUT or POST request), and then have server-side code (written in the language of your choice) accept the HTTP request and save the data.
Typically you would save the data to a database from which you generate the JSON on demand rather than using a plain file (which saves you from race conditions).
Note:
Storing passwords in plain text is dangerous. Use a hashing algorithm.
Sending your authentication data to the client and asking it to authenticate itself:
Leaks your authentication data to anyone trying to log in
Allows anyone to edit the JS in their browser and claim to have logged in successfully
Move to a server-side authentication system where you send your credentials to the server, and then server-side code checks if they are good and then returns a token (JWT is currently a popular way to do this) which can be used to prove you are logged in.

Access PHP SESSION value in JavaScript

I generate a session value for each visitor on my website. If they submit the form, it sends the data via a jQuery AJAX request to my PHP validator script.
This script performs several checks on the data the user submitted. If everything has been validated, it returns a sha256 hash which is generated with the function hash_hmac('sha256', 'success', $_SESSION['secret_key']). I hash this so users cannot manipulate the response with software such as Charles.
The jQuery request receives the hashed string and I have to hash 'success' with the secret key again to check if they match. However, the secret key is stored in a PHP session and I am not able to figure out how to get access to it through JavaScript.
An AJAX request to a PHP script would not be ideal — an attacker can then edit the response to make it match with their own hashed strings.
I'll simply elaborate on my comments in this answer.
You say
An AJAX request to a PHP script would not be ideal — an attacker can
then edit the response to make it match with their own hashed strings.
They can edit the response, but if it's all done client side, they can still edit it.
You want to send the data hashed, then you want the client to be able to check the hash, so I'm not sure what the point in hashing would be, other than security in transport. I can't tell you what you really need, because I'm not seeing the use case here.
I do know you'll either need to go to the server for something you want to keep secret from the client. There's no security on the client side.
As long as you are using javascript in your php file, something like this will suffice...
<script>
var secret_key = <?php echo json_encode($_SESSION['secret_key']); ?>
<script>

Ways to Encrypt and decrypt array in jquery

I am completly new to jquery and client side programing. I am trying to figure out a way of achiving this:
On the client side I have a hidden user id/profile id, which I wanna to encrypt, but while manipulating the hidden value, I have to decrypt and perform some operation on it.
I have a global array of arrays like below:
var users=[{"u_id":"1234", "u_name":"Test"},{"u_id":"12345", "u_name":"Test1"}];
this array is used by various other compoenets, e.g. when user mouse-over on the profile-id, it will get the details from the above array and display the result to him.
In short, I want to encrypt/decrypt all my global variables inside the script.
any plugin or ways to do will be highly appricated.
Encryption/decryption on the client side is entirely pointless. Encryption is used to hide something from somebody. For that you need a secret (password etc.) that you're not giving to that somebody.
If you want to encrypt and decrypt something on the client, the client will need the secret in order to do the encryption. Therefore, the client has everything it needs to decrypt any encrypted secret. That means any user has everything he needs to decrypt data and can in fact see the process happening (try breakpoints in your browser's Javascript debugger). Therefore, the entire exercise is by definition pointless. It may deter some very unskilled poker-arounder, but anyone with the skill to actually do something with the decrypted data can get it easily.
#deceze: Yes exactly, the example you have posted, lets say user 42, trying to update his age, basicaly user will see 42 as his profile id when he logsin, and then subsequent call he will make for changes he need to pass sessionkey/apikey along with profile id and data, so basically if you will suggest me how I can manage these sessionkey/apikey, so that user/hacker from outside can't missuse.. – Jayaram Pradhan 1 min ago
It's pretty simple:
Require users to be logged in via a regular login mechanism, typically involving a session id. This session identifies the user as securely as it's feasible to do anything securely over the web. Your security focus must be here.
Knowing who the user is, you can validate any and all of his actions. If the user requests to change the profile information of some user, check whether he's allowed to do that or not. No API key or anything needed. The server receives a request for change, the server knows who the requesting user is by the session, the server can decide to accept or reject the request.
In the concrete case of updating one's own profile, if the user is only allowed to update his profile and his profile alone: there needs to be only one action/URL, when a user POSTs data to that action, the server knows who the user is and updates that user's profile. The user doesn't need to submit a user id of the profile he wants to update, in fact he can't submit a user id, only his profile will ever get updated. There's no publicly accessible action that allows him to update anyone else's profile.
There is no 3.
i know no way to perform this on client side, you can serialize and obfuscate the data (like using base 64 encoding on json string).

Get data from URL, or possibly ajax?

I was wondering how I can get data from the server side that is being passed to my page via encrypted url using java script? Let say I have this in visual basic in my code behind,
lnkToAPage.NavigateUrl = RelativePagePaths.ThePage + "?"+ QueryStringModule.Encrypt("PageMode=" + pageMode ...
I need to extract a piece of that data, which I get from an object on the server, to do something with it on the client side using javascript. I understand I can get the data from the url like it says here
but the data in the url is encrypted so the data I get from there is useless, I can send it without the encryption but that exposes to much. So is there a way I can use ajax to retrieve that data or object, or maybe there's another way? Or is it not possible at all?
I am not aware of what encryption protocol you are using, but if you get an encrypted version of your attributes, you need to decrypt it using the same protocol with javascript.
On the web, it is common practice (and a good one) to encrypt the connection using HTTPS. it protects anyone from seeing the parameters as explained here.
This does not seem to be an ajax related problem (from what I understood of the question).

Categories