> So the general question is whether there was some industry standard > for ensuring requests to an AJAX post page really do come from an > AJAX caller.
There is a de facto standard for *claiming* requests have come from a framework's XMLHttpRequest wrapper: the X-Requested-With header. Like all headers, it can be crafted at will, and users with malice and skill do not use honest HTTP clients. But the complete absence of XRW in a supposedly AJAX request is certainly worthy of suspicion. Even if a sophisticated attacker wouldn't make this mistake, it's worth tracking nonetheless. At any rate, I'd advise that you send back real HTTP-level errors whenever your back end suspects request tampering/handcrafting. Hopefully you do/will have an IPS in place that can look for xxx of these errors in yyy minutes and block TCP connections accordingly. If you just send back polite "bad parameter" pages with a 200 OK, you can't keep track when occasional accidents/experiments turn into longer attacks that you'll want to back off. -- S.
