Question regarding Ajax Hacking

Posted by Vincent on Stack Overflow See other posts from Stack Overflow or by Vincent
Published on 2010-06-15T19:01:46Z Indexed on 2010/06/15 19:12 UTC
Read the original article Hit count: 260

Filed under:
|
|
|
|

All,

I have a PHP website written in Zend Framework and MVC. Most of the controller actions check if the request is an Ajax request or not, else they redirect the user to home page. I am thinking about various ways to break that site. I am considering the following scenario:

  1. A user creates his own PHP project on his Local machine.
  2. User writes a JQuery ajax post request to one of the controllers on my site and tries to post malicious info. Ex:

    $.ajax({
        type: 'POST',
        url: "https://marketsite/getinfo/getstuff",
        cache: false,
        dataType: "html",
        success: function(html_response){
            alert(html_response);
        },
        error: function(xhr,ajaxOptions,errorThrown){
            alert(errorThrown);
        }
    });
    

My Question is does "url" attribute in the ajax request above take absolute path? I know it takes relative path. Also, is it possible to break any site by sending such requests?

Thanks

© Stack Overflow or respective owner

Related posts about php

Related posts about AJAX