Let's face it Ajax is inevitable..but be care full with your ajax pages or you might have your database stolen.
As a proof of concept you can access
http://www.rodrigodiniz.qsh.eu/Gridhandler.ashx
And you will get all the data in my movies table as a xml document.
Since the data is bogus I don't mind about that... but what if it was a real app data?
The simple solution is if the page is used only for this ( my case)
I could right this simple code before writing the xml ..
and that would make the hacker receive a blank page.
As a proof of concept you can access
http://www.rodrigodiniz.qsh.eu/Gridhandler.ashx
And you will get all the data in my movies table as a xml document.
Since the data is bogus I don't mind about that... but what if it was a real app data?
The simple solution is if the page is used only for this ( my case)
I could right this simple code before writing the xml ..
string strSite =
context.Request.ServerVariables["SERVER_NAME"];
string strPost =
context.Request.ServerVariables["HTTP_REFERER"];
if (string.IsNullOrEmpty(strPost)
|| strPost.IndexOf(strSite)==-1)
{
context.Response.End();
}
and that would make the hacker receive a blank page.
1 comment:
This is a good starting point. Thanks
Post a Comment