I wondering how can I validate, and be sure that when I am use (jQuery) ajax the data that the server gets is really what the client send.
In other words i want to verify the data in the server side (asp.net mvc) and prevent data leak and security risks.
Thanks alot,
Gal
Related
As I found, it is possible to manipulate and change Ajax code in browser console by client. For example, Ajax wants to call a method and pass id to controller. As I mentioned above, how we can secure our code from interference by client?
Thank you all
Security must always be implemented on the server side, because anything you do on the client side can be ignored, overstep, modified, etc very easily. In fact, anyone can use software like Postman to make a completely custom HTML request to any server.
Don't ever rely on any client-side software in terms of security for your server. If you want keep your server safe, then make a safe server.
At first, I intend to get the validation done on the client side by javascript or jquery, something like that, but then I realize that some malicious users may skip my jsp page, sending data which is not been validated to my servlet. My server end is structured using Spring+SpringMVC+mybatis, is there any way that I can keep the validation on client side, as well as keep my server safe(does spring security help?).Thanks a lot!
You should always validate on the server side.
Validation on the client side is only for convenience of your (honest) users and adds nothing to the security of your system.
The server-side validation must always be done and nothing will make your server automatically safe (safe from what? you have to decide what input is safe for your application, your database, your users, how it will be used etc.).
The only easy way to reuse your client-side validation code on the server side is to use Node.js or other server-side JavaScript like Rhino.
Unfortunately not, you need to validate server side to keep it safe.
Any thing you do client side can be undone by a malicious user. Generally, client side validation is used for quicker feedback to the user and to prevent your server getting too many hits. So it is still very beneficial, but you will need both.
I know all about SQL injections, and peeking into javascript files that a website uses, and also that GET requests contain all of the information in a URL.
Is there any security concern that is special to AJAX and only pertains to using AJAX?
For example, sending post requests via AJAX seems completely safe to me. Barring SQL injections, I can't think of one thing that could go wrong... is this the correct case?
Also, are "requests" of any kind that a user's browser sends or any information it receives available to be viewed by a third party who should not be viewing? And can that happen to AJAX post requests ('post' requests specifically; not 'get')?
It's like any other form of data input: validate your values, check the referrer, authenticate the session, use SSL.
what is different between ajax and webservices. Anybody provide with some examples?
It's nonsensical to compare these things.
"Ajax" is a process that occurs in the browser. It is the act of calling some local server-side page, without refreshing the "main" viewing area, and then doing various things with that result (grabbing the data, making changes, changing the existing DOM (adding elements), whatever).
Webservices are a Serverside-thing that allows you to call methods, in your code, but have that call actually go to a remote machine. The call to the Webservice is generally also made server-side.
The term "Ajax" is generally used :
When the request is sent by a browser (client-side) to a server
When the transfered data is XML or JSON or HTML.
The word "webservice" is generally used :
When the request is sent by a server to another server, without a browser being involved
When the transfered data is SOAP -- at least when it's a SOAP webservice ^^ (Opposed to REST, for instance, which generally doesn't imply SOAP)
But I'd say that Ajax is basically some specific kind of webservice.
i think ajax and web services are kind of similar, here is why i think so.
as i understood it, in your app sometimes you will have to implement an "API" which has several useful functions. and it is those functions which are called "web services". these 'functions' acts in response to the http requests and "does" something with the data provided.
in ajax siimilar kind of work happens as well,just through javascript thats it.
so, to sum it all up, an API has 'web services' within it, and ajax behaves like 'web services'. in this manner, yes i think it is correct to call ajax and web services similar.
I am working on a J2EE web application
Here we are using JSP and Struts
I know one can use
Client side validation (Using JavaScript)
Server side validation (Using Validation framework)
My question is which way is more proper and one should use in application and why?
You have to use both.
Server side validation is required so that nobody can use malformed queries and gain access to your data. You must do server side validation because anybody can submit malformed queries to your page directly (rather than going through your client side scripts)
Client side validation is only to help innocent users submit correct data in case they were making a mistake which would have cost an entire trip to the server and a page reload to be detected and displayed otherwise.