2010-12-30, 02:06 AM
Hi,
I have a PHP page I'm calling from AJAX that returns various information about my myBB system, and also writes a record to a table. I have a few questions about security:
1. Without getting into the specifics of what I am doing and why, is passing every variable (I am using to access the myBB database) through the myBB function:
$db->escape_string
enough to ensure my PHP calls are invulnerable to SQL injection attack?
2. I also have a system I found that will give me a measure of protection from script hijacking, that looks decent: http://www.informit.com/articles/article...4&seqNum=2
that involves writing a secure cooking containing a random passowrd (using PHP) from the same MyBB template that loads my javascript, and checking my jQuery AJAX requests against that.
does that sound right?
3. I am not doing any kind of mashup or any cross site scripting other than to include jquery from https://ajax.googleapis.com/ajax/libs/jq...ery.min.js ... so I should be fine there?
4. most of the information I used came from a paper about javascript hijacking I found: at http://ajax.sys-con.com/node/747965?page=0,0
There they summarize:
I think I have a.) covered in my Q 2, above. But what about this second issue, b.) - what do they mean by that?
at the beginning of the description of that issue, highlighted in the paper, the authors state:
I don't quite follow that last clause - what does it mean that a
Because my PHP functions do not return any javascript to AJAX - my php responses do include javascript - do I have to be concerned with this type of attack, or am I misunderstanding what they are getting at?
5. What other vulnerabilities might I be susceptible to by using AJAX specifically with respect to myBB?
---------------
Thanks for any help here - I hope I have made these questions clear enough.
I have a PHP page I'm calling from AJAX that returns various information about my myBB system, and also writes a record to a table. I have a few questions about security:
1. Without getting into the specifics of what I am doing and why, is passing every variable (I am using to access the myBB database) through the myBB function:
$db->escape_string
enough to ensure my PHP calls are invulnerable to SQL injection attack?
2. I also have a system I found that will give me a measure of protection from script hijacking, that looks decent: http://www.informit.com/articles/article...4&seqNum=2
that involves writing a secure cooking containing a random passowrd (using PHP) from the same MyBB template that loads my javascript, and checking my jQuery AJAX requests against that.
does that sound right?
3. I am not doing any kind of mashup or any cross site scripting other than to include jquery from https://ajax.googleapis.com/ajax/libs/jq...ery.min.js ... so I should be fine there?
4. most of the information I used came from a paper about javascript hijacking I found: at http://ajax.sys-con.com/node/747965?page=0,0
There they summarize:
Quote:we recommend that all programs that communicate using JavaScript take the following defensive measures:
a. Include a hard-to-guess identifier, such as the session identifier, as part of each request that will return JavaScript. This defeats cross-site request forgery attacks by allowing the server to validate the origin of the request.
b. Include characters in the response that prevent it from being successfully handed off to a JavaScript interpreter without modification. This prevents an attacker from using a <script> tag to witness the execution of the JavaScript.
I think I have a.) covered in my Q 2, above. But what about this second issue, b.) - what do they mean by that?
at the beginning of the description of that issue, highlighted in the paper, the authors state:
Quote:To make it impossible for a malicious site to execute a response that includes JavaScript, the legitimate client application can take advantage of the fact that it is allowed to modify the data it receives before executing it, while a malicious application can only execute it using a <script> tag.
I don't quite follow that last clause - what does it mean that a
Quote:malicious application can only execute it using a <script> tag.?
Because my PHP functions do not return any javascript to AJAX - my php responses do include javascript - do I have to be concerned with this type of attack, or am I misunderstanding what they are getting at?
5. What other vulnerabilities might I be susceptible to by using AJAX specifically with respect to myBB?
---------------
Thanks for any help here - I hope I have made these questions clear enough.