hide the path of the php file in ajax request - javascript

I dont know if this possible
But I have an ajax function in my javascript and as all, we know we need to provide php file path in the ajax request and this will be visible to all the users and unfortunately they can see the path of the ajax files and where they are stored .but i dont want this to happen i dont want user or client to see my ajax filed Is there a way to hide this path from the client, from seeing the path of ajax files? i know its something obfuscation but i only want the path to be done is it possible?
Update
so is there any way to stop user from viewing or opening php files from the url, I mean if user enters the path of ajax files and hits enter he can see all my files over there and he can easily hack my data so is there a way to stop user from entering them , i want only my pages to access php files not from users url,Thanks

It is not possible. The browser has to request the URI. The user can see what resources their browser is requesting.
"Ajax files" are not a special case. You need to secure them in exactly the same way as any other resource you provide over HTTP. i.e. use authentication and authorisation to make sure that only users who are allowed to access them do, input validation to make sure that any data sent to them is acceptable, and escaping to make sure that the data doesn't cause you problems if you try to insert it into SQL/HTML/JS/any other data format.
Response to update:
so is there any way to stop user from viewing or opening php files from the url
Still No!
I mean if user enters the path of ajax files and hits enter he can see all my files over there
You can configure your server to not serve a DirectoryIndex. The specifics depend on the server. Alternatively you can put a blank index.html file there.
and he can easily hack my data
How?
so is there a way to stop user from entering them
No.
i want only my pages to access php files not from users
Only an HTTP client can request a URI. There is no way to distinguish between an HTTP client responding to an instruction from JavaScript that you have written from one that is responding to user input.

a possible way would be to obfuscate it so that its not user readible. expl; by using a main script and including the file by switching on some POST/GET param your sending (could be a random string, hash, number).
more efficient obfuscation can be acchieved, when you would redirect all traffic to one script via mod_rewrite. Somewhere in the url, you hide a number, that tells you which file to use. Then you add random string before and after it (with specific length) and read it from your main script. But then the user will find out by looking at the javascript.
but srsly. why do you care? there is no security by obscurity!
/updated to your updated question;
I think you want to be looking at your apache configuration; use .htaccess files or better, disable indexing of a directory all together. The user wont be able to know about all your php files. Only the ones, you made public via links in your application. There is no such thing as "only letting ajax access file but not the user". because ajax IS the user and vice-verca! you are sending ajax request on behalf of the user! and if the user enters the url in the browserbar, its the same as sending an ajax request.
You could add a special header with your ajax call (or use the one already supplied), but that wouldn't change anything, as soon as the user looks at the traffic close enought.
What I think you want is a User Session to only allow privileged users to fully execute a script.

Unless you are using jsp technology with apache tomcat, you can place your folders in the WEB-INF.

No.
This is not possible. The client performs the request and the client is under the users control.

Related

Reactjs Authentication: make route available if you have the link

In my application the user is able to create files and to publish them. You need to be logged in in order to create/read/update/delete a file but there's a link with which you can simply view the file (no option to edit etc. and you don't need an account to view it).
Up until now, you needed a token for authentication to create/edit/etc the files in your account, however, if you had the link to the "view-version" of the file, you did not need a link in order to retrieve the file data and to view the file (meaning the route for fetching the data in the view-version was not protected).
However, this seems like a big security risk to me, as you can access the file data (albeit not the user data).
What I came up with is the following:
Besides the file-id, which I use to identify the file in question, I could also enter the token into the querystring, so whoever views the file could be authenticated.
I'm very new to this so I don't know much about what is a security risk. Sending the token in the querystring also seems like a security risk to me but I don't know how else to do what I'm trying to achieve and googling did not get me very far.
To sum it up, my questions are:
1. Is sending the token in the querystring secure?
2. If not, how can I achieve what I'm trying to do?

JAVASCRIPT AJAX - Prevent redirect?

$.ajax({url:"URL",success:function(result){
I have a webpage that accesses a certain URL and then extract certain elements of the webpage. However, in order to access that URL you have to be redirected to what is similar to a log in page (requires form submission) and then you have access to that link.
I want to prevent the redirection upon loading the URL. Is that possible?
If not, am I able to manually do the form submission using JAVASCRIPT? Via AJAX or any other resource.
EDIT: By manually saving the .html to my directory and accessing the page from my root folder, it works fluently.
Thank you!
Yes, it is possible. You need to stop the form submission and add your AJAX call. Like this:
$("form").submit(function(){
$.ajax({url:"URL",
success:function(result){
}
});
return false;
});
More information here.
If I understand your question, what you need to do is log the user into the external website programmatically beforehand. This is possible if the other site supports OAuth or something similar, but the specifics will depend on their API and what exactly you're trying to do. I can't tell you more than that without more information.
This assumes you're trying to include the other web page in an iFrame, or link directly to a page there, or something like that. If, on the other hand, you're trying to log in to the foreign website as the user, pull out some content, and mix it in with your own, then I suggest you change your approach. You'll probably run afoul of all kinds of anti-XSS security policies, either on the foreign website or in the browser depending on what you try to do. Or you'll have to ask your users to give you their password on another site, and they'll have to really trust you for that.
Generally speaking, if you want to interact with another website, the user's client should connect, log in, and receive content directly from the other server without you acting as an intermediary. I think perhaps you're asking the wrong question: Instead of "how can I do this without the user logging in," ask "how can I let the user connect and log in to another website without having to leave my page?"

I need to generate a JSON file in browser using (currently) javascript

I have a website that allows users to select a date range from a data set. At least, that's the goal.
What I would like to have happen: the user selects a date range, presses the submit button, and a script generates a JSON file which MATLAB reads to generate the graphs.
Any thoughts on resources to help accomplish this?
You'll need the script that fires off to be server side. JavaScript is client side and can not, in any way, access, modify, or otherwise create files on the client. You'll have to use a language like PHP to create the file.
Example using PHP:
Once the file is created, force a request on the client side to fire asking for the file. Set the PHP header to Content-Disposition: attachment; filename="< Place file name here>".
This will prompt the browser to launch a download prompt allowing the user to download the file.
Hope this helps.
You can use Downloadify, a small Flash component with a Javascript interface that allows you to create files on the client that a user can download. That's what I used in a similar situation.
You could also try and use Data URI but they are a quite limited and browser specific so some issues may arise.
These may be alternative solutions to the previous answer that suggested using server side code to generate the file.

ensuring that a script is only included into certain pages

The question
I have a service that pushes content to users. To provide this content to their users, customers will include a script on their site. Their script sends a token to my server to identify which customer it is, but here's the problem: if anyone copies the script from the user's site, they can receive this live content, and the customer is billed for users that are not on their site. So, is there a way to ensure that the script is only included on their website? How does google analytics achieve this?
I have an idea, but I don't know if this would be completely secure.
The customer tells me any domains (including subdomains) that they would like to include my script on.
I give the user a very small text file that they store on their servers.
Once my script is loaded, it checks for window.location.host, and tries to fetch the text file from the root of the hosting domain.
If the file is found, and the contents match the content I generated when I gave the customer the file, I activate the service.
would this work?
Why I can not use window.location
Let's say that my script reads window.location, and sends that to the url mydomain.com?token=ABC&locationhost=goodcustomer.com
Now, the owner of baduser.com wants to abuse the account of gooduser.com, so he includes gooduser.com's script. The script now sends an ajax request to mydomain.com?token=ABC&locationhost=badcustomer.com
This would not start the service, because badservice.com is not the domain that the owner of goodcustomer.com entered when he signed up. This is easy to circumvent, because badcustomer.com's owner can take a look at my script, notice that it is sending a request to validate the url, and just send his own request. So he would send a request to mydomain.com?token=ABC&locationhost=goodcustomer.com. My server sees this request, compares the locationhost to the domain associated with the token, and starts giving the content meant for goodcustomer.com's users, to badcustomer.com's users. My server has no way of knowing wether the request was sent by my own script, or by a user trying to impersonate the actual customer.
You cannot make a secure solution to this only with scripts that runs in the end users browser. Someone that want to mimic your customers web site will always be able to do that by creating a copy of every script or file that you send to the browser. You will need to do something on your customers server. That is, your customer must have some kind of secret that is not sent to the browser.
One way to do this would be to give the customer a server side script that generates a one-time token. Let your script call this server-side script to get the token and include this token in the request to your server. Your server must check that the token is correct before it generates the data.
A one time token can be made by sending each customer a 20 character long password. Let the server-side script read the password, add the date and time and hash this value using i.e. SHA-256. It would be quite hard to create a false token if you don't know the password. It would be even better if you add a counter in the server side script. Let the counter increment with one for each request. However, a counter will introduce some syncronization problems if the counter on your site comes out of sync with the counter on the customers site.
You could build a database of what domains a user would be hosting the script on, then when the user loads the script, it sends window.location to your server, then your server sends content if the window location matches that in the database.

Determine Start of Download

I am looking to determine that a download has begun, preferably with jQuery.
I am serving up dynamically created downloads that take 5-10 seconds to create. I would like to use JavaScript to post a message to the browser that the file is being created, and remove that message once creation is complete and the download begins.
Posting the message is easy. I can do that when the user clicks the link. I just can't find a way to remove the message when it is no longer needed.
Is there a way to accomplish this?
You could provide the download through a script for example download.php?file=image.jpg
When someone accesses it and the script starts to send the file, you could log this in a database.
Your site could then make an ajax call to an other script which tells whether the download has started or not, by looking in the database. If it started you can hide the message, if not make an other call a bit later.
Totally different approach which avoids the ajax polling:
The http response of the download request sets a cookie which can be checked regularly on the page which provided the download link. This way you are only polling the browsers cookie storage and not your server.

Categories