328 Part II: Developing an Ajax Library^
badguy.ajaxref.com. A referrer check could be added to address this at the bank site and
then any request that does not include the appropriate Referer header value could be
denied. You can observe this solution working at (http://ajaxref.com/ch7/jsonreferer.php).
Many people seem to spring to bash the Referer check, given the ability to forge
headers, but in this particular case, the critics are incorrect. For the CSRF attack to work, the
user’s browser must make the request for the hacker using a simple <script> tag. There is
no way to alter the request headers with such a scheme. You might then say, what about
bouncing them off the hacker’s site, which then adds the header? Well, that won’t work
because the credentials that are the heart of the CSRF attack would not be passed. You
might then wonder about using the XHR itself since it can set request headers, but that
won’t work either, as it can’t break the same-origin policy. Referer checks are a perfectly
good solution to some problems and shouldn’t be ignored out of habit.
For even tighter security to ensure operations are carried out in the context of particular
sessions, a method called the double cookie check can be employed. The idea of this is that an
issued cookie is buried in a hidden form field that is sent up with the request. While the
intruder would be able to submit a request to the server with the cookie, they would not be
able to read the cookie from the remote domain to add it to their request, and the server would
not see the copied token and would reject it. A few server-side libraries already have added
integrity checks like this to improve security, but some of the previous solutions, particularly
in combination, might give nearly all, or at least the same protection without as much added
complexity. However, note that this approach is quite similar to that of the next topic.Ajax Payload Protection
The payload, whether it is the request or the response, is your precious cargo. You need to
do your best to make sure that it gets to its destination without tampering. Adding some
form of application level data integrity check to requests and responses might go a long
way to making transmission more trustworthy outside SSL encryption.
The first idea we present is request signatures. In this case, a signature is given to the
client. Hopefully, it is dynamically written into the page like so:var signature = '862f011de97d4f493c3a11c589a996ee';Better yet, it is provided in a cookie. The request is then made and the signature is sent
up with the request. We modify the library to support a signRequest option for this
purpose.var options = { method: "GET",
payload : payload,
signRequest : signature,
outputTarget:"responseOutput"};
AjaxTCR.comm.sendRequest("http://ajaxref.com/ch7/signaturecheck.php", options);In the library, we have defined a default header to hold the signature. It is pretty clear
what it is here, however, and you may desire to make it look less obvious.DEFAULT_REQUEST_SIGNATURE : "X-Signature";request.requestSignature = AjaxTCR.comm.DEFAULT_REQUEST_SIGNATURE;