Questions tagged [ajax]
AJAX (Asynchronous JavaScript and XML) is a popular technique for creating interactive websites, by providing a concept for data exchange between client and server asynchronously.
123 questions
0
votes
0
answers
974
views
How this JSON object can be exploitable?
I was reading this documentation https://cheatsheetseries.owasp.org/cheatsheets/AJAX_Security_Cheat_Sheet.html#server-side
One of the security recommendation is - Always return JSON with an Object on ...
- 53
1
vote
0
answers
196
views
Re-populate form with JSON data
I re-populate form with JSON data via javascript (all data has the same origin server)
1 Wen the page load, make a request post ajax
2 The response Ajax is a:
Object { primary_ns: {…}, secondary_ns: {…...
- 171
0
votes
1
answer
210
views
Is the authentication system of this website secure enough?
Since I write an API for a website, I'm interested in his login system and his requests but something bothered me, I have the impression that the security system is weak...
When I login, I send POST ...
user267196
0
votes
1
answer
1k
views
Secure ajax login form
When the client is logging in, I send an xhr request to the server. However the request looks like this:
localhost:80/api/login-ajax/&username=johndoe&password=123456
This is insecure for ...
- 3
0
votes
1
answer
218
views
Reverse-proxy issues
I am trying to create a reverse-proxy web application using Flask. I don't really know weather to call it reverse-proxy or not but my idea is that the web app gets a URL from ../proxy/<URL>, ...
- 101
1
vote
2
answers
383
views
Is it insecure for the user to know the process id of a background script on my web server?
I was experiencing an issue on one of my webpages, where an AJAX call is made to another script on the server to generate some files for download. Depending on things like server load, number of files ...
- 113
0
votes
0
answers
827
views
JWT refresh tokens and Double Submit Cookies
I am struggling to implement JWT refresh tokens with the Double Submit Cookies method.
My current set up for a browser based webapp without refresh tokens looks like this:
Upon successful login, API ...
- 101
0
votes
1
answer
906
views
Sharing oauth2 token with AJAX request to be sent to resource server
I am a little confused on how the token is shared from the client to an AJAX script to the resource server in the oauth2 flow.
To explain the scenario I am trying to set up, I have
a client (http://...
2
votes
3
answers
350
views
Stop User Enumeration requests on AJAX endpoints
I have an ecommerce website with over 5 million customer database. From past couple of days, probably a hacker is hitting an AJAX endpoint continuously. This endpoint takes email address as a ...
- 189
0
votes
0
answers
535
views
XSS via Ajax request?
I'm currently honing in on my web exploitation skills and came across this JavaScript function here:
Event.observe(window, 'load', function() {
new Ajax.Request('/dir/dir', {
method: 'post',...
- 101
0
votes
1
answer
158
views
How To Validate Secure Traffic from Chrome with Element To Matrix.org on Linux
Are you familiar with the Element chat system of https://app.element.io ? Are you familiar with its connections to Matrix.org (for a free account)? Is there a way that I can sniff this traffic on the ...
- 295
1
vote
2
answers
1k
views
Regenerating CSFR token in AJAX requests
I would like to create a new token for each request and would like to us the following template-
<script>
var current_token=<?php echo $_SESSION['csrf_token']; ?>
$....
- 11
0
votes
1
answer
6k
views
How to prevent Cross-site Scripting in ajax response
I have a page(parent.php) from where i am calling a another page(result.php) through jquery ajax that is returning a response in html format. This response is showed on the parent.php page in a div. ...
- 1
2
votes
1
answer
2k
views
Can somebody explain why the IP address 192.168.1.1 is apparently "special" and not following the CORS rules?
I asked this question: What would happen if some random webpage made an Ajax request for http://127.0.0.1/private.txt?
The answers/comments confuse me. Am I right in interpreting them like this?
"...
- 21
2
votes
1
answer
476
views
Does the HTML password field include any protection against XHR/AJAX exfiltration?
In HTML when we describe a certain field as a password field is it somehow secured against sending out the data via XHR/AJAX/similar technologies?
This is relevant in case we have to deal with script ...
- 1,687