Thursday, January 25, 2007

Protecting against cross-site ajaxin

Let's face it Ajax is inevitable..but be care full with your ajax pages or you might have your database stolen.

As a proof of concept you can access

And you will get all the data in my movies table as a xml document.

Since the data is bogus I don't mind about that... but what if it was a real app data?

The simple solution is if the page is used only for this ( my case)

I could right this simple code before writing the xml ..

string strSite =

string strPost =

if (string.IsNullOrEmpty(strPost)
|| strPost.IndexOf(strSite)==-1)

and that would make the hacker receive a blank page.

1 comment:

Anonymous said...

This is a good starting point. Thanks