RE: Preventing use of remote method by other sites
I doubt anyone's going to care to mess with it This assumption all depends on the average age of the visitors to the website and the possible gain there is in messing with it. In my experience the lower the age of the visitors the less actual gain is needed to inspire them to mess with it. We run several video game based websites where the average age of visitors is 14-18 years of age and they will mess with anything and everything for no apparent reason. I have even placed dummy ajax pages online that actually do nothing to the site data and they will spend hours, days and sometimes weeks submitting data to them just to see what they will do. Assume that it will be messed with and evaluate the need to keep the data correct with the cost to make it so. Dennis Powers UXB Internet - A Website Design Hosting Company P.O. Box 6028 Wolcott, CT 06716 203-879-2844 http://www.uxbinternet.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336423 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Preventing use of remote method by other sites
I'm with Ray here, glad to see I'm not the only one that thinks like that. Just because it's unlikely doesn't mean you shouldn't protect yourself against unlikely attacks. It's pretty much impossible to protect a remote method from being called by anyone who wants to call it. If they're trying to call it directly, and they've got a little time on their hands, they can bypass a lot of the suggested methods of protection quite easily. If you've got a CFC method with remote access, and it doesn't require authentication, then you have to ask yourself What could someone do with this that I might not want them to? Even if it requires that the user be authenticated, a malicious user could hit your site with a browser, authenticate, then grab the cookie information and write a script to duplicate that cookie information and browser agent and everything, and you'd have ZERO clue he was doing it via cfhttp or perl or whatever. There are all kinds of ways to take it one step further of course, but if you're ticketmaster or facebook, then hackers are going to spend time and resources figuring out how to get ahead of you for even a minute. Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336424 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Preventing use of remote method by other sites
and there lies the problem... many people will believe that this is a secure method of preventing access to something, all it does is make it more difficult, it certainly doesn't make it secure. I'm not going to elaborate on how this can be bypassed as several previous comments have already alluded to this possibility already - capturing cookies and ucing cfhttp etc. Basically any ajax call should be protected like any other http call, ajax is simply another type of http call its not magic. If your script is using sessions (hence cookies) and you detect something odd going on I would follow the philosophy of being guilty until proven innocent ie if you suspect something automatically log that user/session out (ban them) and ask questions later. It goes without saying that you need to log/record all http calls that appear outside a strict set of rules for that cfc/function. here's another possibilty: If you're using CF9 and the built in AJAX functionality you can use the verifyClient attribute of CFFUNCTION to attach a security token to each request. CF will look for the token, if it doesn't see it, the request will be denied ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336435 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Preventing use of remote method by other sites
Don't forget you can easily set those headers yourself. I could setup cfhttp to use that header and hit your resource. On Fri, Aug 13, 2010 at 3:31 PM, Andy Matthews li...@commadelimited.com wrote: Works perfectly Tony. I simplified the conditional tho' cfif StructKeyExists(headers,'X-Requested-With') AND headers['X-Requested-With'] EQ 'XMLHttpRequest' /cfif -Original Message- From: Tony Bentley [mailto:cascadefreehee...@gmail.com] Sent: Friday, August 13, 2010 2:55 PM To: cf-talk Subject: Re: Preventing use of remote method by other sites I use a cfc that checks to see if the method being called is from within the domain, is indeed ajax and that the method is indeed is accessed remotely, otherwise abort the request. If you are doing cross site requests, pass a unique key in your form. Is it ajax? cffunction name=isAjax access=private returntype=boolean output=false !--- all of the user management requests are going to come via ajax within the domain. if a request is not from this site and not ajax, abort the request run this check on any of the remote methods --- cfscript requestHeaders = getHTTPRequestData().headers; if(not StructKeyExists(requestHeaders, X-Requested-With)){ return false; } else if(StructFind(requestHeaders,X-Requested-With) neq XMLHttpRequest){ return false; } else{ return true; } /cfscript /cffunction ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336296 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Preventing use of remote method by other sites
Yes, but would you know TO do that? andy -Original Message- From: Raymond Camden [mailto:rcam...@gmail.com] Sent: Monday, August 16, 2010 11:30 AM To: cf-talk Subject: Re: Preventing use of remote method by other sites Don't forget you can easily set those headers yourself. I could setup cfhttp to use that header and hit your resource. On Fri, Aug 13, 2010 at 3:31 PM, Andy Matthews li...@commadelimited.com wrote: Works perfectly Tony. I simplified the conditional tho' cfif StructKeyExists(headers,'X-Requested-With') AND headers['X-Requested-With'] EQ 'XMLHttpRequest' /cfif ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336297 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Preventing use of remote method by other sites
Sorry - what? Oh - are you asking if I would know to use that vector? If I run your site and see a request made via XHR to foo.cfm, and then I try to run it myself in another tab and get blocked, then yes, I would consider that. And I'm a Script Kiddy Hacker so I assume the real guys would try it too. Shoot - I almost always try the URLs I see in Firebug/Chrome Dev tools. I'm not trying to be malicious of course. Just poking around. On Mon, Aug 16, 2010 at 11:34 AM, Andy Matthews li...@commadelimited.com wrote: Yes, but would you know TO do that? andy -Original Message- From: Raymond Camden [mailto:rcam...@gmail.com] Sent: Monday, August 16, 2010 11:30 AM To: cf-talk Subject: Re: Preventing use of remote method by other sites Don't forget you can easily set those headers yourself. I could setup cfhttp to use that header and hit your resource. On Fri, Aug 13, 2010 at 3:31 PM, Andy Matthews li...@commadelimited.com wrote: Works perfectly Tony. I simplified the conditional tho' cfif StructKeyExists(headers,'X-Requested-With') AND headers['X-Requested-With'] EQ 'XMLHttpRequest' /cfif ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336298 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Preventing use of remote method by other sites
Right. I know that. Good point though. I suppose I could get our JS guy to also pass in a session id. Then I could compare that with the actual session ID for the user and go from there. -Original Message- From: Raymond Camden [mailto:rcam...@gmail.com] Sent: Monday, August 16, 2010 11:42 AM To: cf-talk Subject: Re: Preventing use of remote method by other sites Sorry - what? Oh - are you asking if I would know to use that vector? If I run your site and see a request made via XHR to foo.cfm, and then I try to run it myself in another tab and get blocked, then yes, I would consider that. And I'm a Script Kiddy Hacker so I assume the real guys would try it too. Shoot - I almost always try the URLs I see in Firebug/Chrome Dev tools. I'm not trying to be malicious of course. Just poking around. On Mon, Aug 16, 2010 at 11:34 AM, Andy Matthews li...@commadelimited.com wrote: Yes, but would you know TO do that? andy -Original Message- From: Raymond Camden [mailto:rcam...@gmail.com] Sent: Monday, August 16, 2010 11:30 AM To: cf-talk Subject: Re: Preventing use of remote method by other sites Don't forget you can easily set those headers yourself. I could setup cfhttp to use that header and hit your resource. On Fri, Aug 13, 2010 at 3:31 PM, Andy Matthews li...@commadelimited.com wrote: Works perfectly Tony. I simplified the conditional tho' cfif StructKeyExists(headers,'X-Requested-With') AND headers['X-Requested-With'] EQ 'XMLHttpRequest' /cfif ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336299 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Preventing use of remote method by other sites
Which can also be done via CFHTTP as well. ;) Not trying to be a jerk here - but the fact is, there is no (afaik) 100% way to say that a URL is ajax only. On Mon, Aug 16, 2010 at 11:51 AM, Andy Matthews li...@commadelimited.com wrote: Right. I know that. Good point though. I suppose I could get our JS guy to also pass in a session id. Then I could compare that with the actual session ID for the user and go from there. -Original Message- From: Raymond Camden [mailto:rcam...@gmail.com] Sent: Monday, August 16, 2010 11:42 AM To: cf-talk Subject: Re: Preventing use of remote method by other sites Sorry - what? Oh - are you asking if I would know to use that vector? If I run your site and see a request made via XHR to foo.cfm, and then I try to run it myself in another tab and get blocked, then yes, I would consider that. And I'm a Script Kiddy Hacker so I assume the real guys would try it too. Shoot - I almost always try the URLs I see in Firebug/Chrome Dev tools. I'm not trying to be malicious of course. Just poking around. On Mon, Aug 16, 2010 at 11:34 AM, Andy Matthews li...@commadelimited.com wrote: Yes, but would you know TO do that? andy -Original Message- From: Raymond Camden [mailto:rcam...@gmail.com] Sent: Monday, August 16, 2010 11:30 AM To: cf-talk Subject: Re: Preventing use of remote method by other sites Don't forget you can easily set those headers yourself. I could setup cfhttp to use that header and hit your resource. On Fri, Aug 13, 2010 at 3:31 PM, Andy Matthews li...@commadelimited.com wrote: Works perfectly Tony. I simplified the conditional tho' cfif StructKeyExists(headers,'X-Requested-With') AND headers['X-Requested-With'] EQ 'XMLHttpRequest' /cfif ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336301 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Preventing use of remote method by other sites
You're not being a jerk. Those are all good points. I doubt anyone's going to care to mess with it. Even if they do, the most that will happen is that one site's usability stats get inflated. andy -Original Message- From: Raymond Camden [mailto:rcam...@gmail.com] Sent: Monday, August 16, 2010 12:41 PM To: cf-talk Subject: Re: Preventing use of remote method by other sites Which can also be done via CFHTTP as well. ;) Not trying to be a jerk here - but the fact is, there is no (afaik) 100% way to say that a URL is ajax only. On Mon, Aug 16, 2010 at 11:51 AM, Andy Matthews li...@commadelimited.com wrote: Right. I know that. Good point though. I suppose I could get our JS guy to also pass in a session id. Then I could compare that with the actual session ID for the user and go from there. -Original Message- From: Raymond Camden [mailto:rcam...@gmail.com] Sent: Monday, August 16, 2010 11:42 AM To: cf-talk Subject: Re: Preventing use of remote method by other sites Sorry - what? Oh - are you asking if I would know to use that vector? If I run your site and see a request made via XHR to foo.cfm, and then I try to run it myself in another tab and get blocked, then yes, I would consider that. And I'm a Script Kiddy Hacker so I assume the real guys would try it too. Shoot - I almost always try the URLs I see in Firebug/Chrome Dev tools. I'm not trying to be malicious of course. Just poking around. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336303 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Preventing use of remote method by other sites
Hi, I would instantiate a session variable on begin of calling page, add it to the parameters when calling the function, and then just check in the remote function if the one given via parameter matches the one from session scope. Regards, Stephan I have a method that I'm exposing remotely. We'll be using AJAX calls to insert usability stats about a new application. I'm working through the code when I realize that since it's remote access, anyone from any site could post to it and skew our results. I'm wondering what's the best way to prevent access to this URL from any other site, or code. My first thought was to compare the current URL, dev1 for example, to the URL the request was made from, or perhaps the IP address. But I'm not sure how to get that information. Anyone have ideas? andy matthews ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336261 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Preventing use of remote method by other sites
I use a cfc that checks to see if the method being called is from within the domain, is indeed ajax and that the method is indeed is accessed remotely, otherwise abort the request. If you are doing cross site requests, pass a unique key in your form. Is it ajax? cffunction name=isAjax access=private returntype=boolean output=false !--- all of the user management requests are going to come via ajax within the domain. if a request is not from this site and not ajax, abort the request run this check on any of the remote methods --- cfscript requestHeaders = getHTTPRequestData().headers; if(not StructKeyExists(requestHeaders, X-Requested-With)){ return false; } else if(StructFind(requestHeaders,X-Requested-With) neq XMLHttpRequest){ return false; } else{ return true; } /cfscript /cffunction Called on init: cfparam name=url.method default= cfscript accessRemote = false; cfcname = getmetadata(this); for(i=1;i lte arrayLen(cfcname.FUNCTIONS);i++){ fname = cfcname.FUNCTIONS[i]; if(fname.name eq url.method fname.access eq remote){ accessRemote = true; break; } } if(not isAjax() and not accessRemote){ abort();//this is a simple cfabort function for MX } /cfscript On Fri, Aug 13, 2010 at 11:17 AM, Andy Matthews li...@commadelimited.comwrote: I have a method that I'm exposing remotely. We'll be using AJAX calls to insert usability stats about a new application. I'm working through the code when I realize that since it's remote access, anyone from any site could post to it and skew our results. I'm wondering what's the best way to prevent access to this URL from any other site, or code. My first thought was to compare the current URL, dev1 for example, to the URL the request was made from, or perhaps the IP address. But I'm not sure how to get that information. Anyone have ideas? andy matthews ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336268 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Preventing use of remote method by other sites
Oooh. That's a good idea. Since we're using it for AJAX, then make it so that it can ONLY be used as AJAX, which would prevent other sites from using it because of the cross site scripting. Great idea Tony, thanks! -Original Message- From: Tony Bentley [mailto:cascadefreehee...@gmail.com] Sent: Friday, August 13, 2010 2:55 PM To: cf-talk Subject: Re: Preventing use of remote method by other sites I use a cfc that checks to see if the method being called is from within the domain, is indeed ajax and that the method is indeed is accessed remotely, otherwise abort the request. If you are doing cross site requests, pass a unique key in your form. Is it ajax? cffunction name=isAjax access=private returntype=boolean output=false !--- all of the user management requests are going to come via ajax within the domain. if a request is not from this site and not ajax, abort the request run this check on any of the remote methods --- cfscript requestHeaders = getHTTPRequestData().headers; if(not StructKeyExists(requestHeaders, X-Requested-With)){ return false; } else if(StructFind(requestHeaders,X-Requested-With) neq XMLHttpRequest){ return false; } else{ return true; } /cfscript /cffunction Called on init: cfparam name=url.method default= cfscript accessRemote = false; cfcname = getmetadata(this); for(i=1;i lte arrayLen(cfcname.FUNCTIONS);i++){ fname = cfcname.FUNCTIONS[i]; if(fname.name eq url.method fname.access eq remote){ accessRemote = true; break; } } if(not isAjax() and not accessRemote){ abort();//this is a simple cfabort function for MX } /cfscript On Fri, Aug 13, 2010 at 11:17 AM, Andy Matthews li...@commadelimited.comwrote: I have a method that I'm exposing remotely. We'll be using AJAX calls to insert usability stats about a new application. I'm working through the code when I realize that since it's remote access, anyone from any site could post to it and skew our results. I'm wondering what's the best way to prevent access to this URL from any other site, or code. My first thought was to compare the current URL, dev1 for example, to the URL the request was made from, or perhaps the IP address. But I'm not sure how to get that information. Anyone have ideas? andy matthews ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336269 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Preventing use of remote method by other sites
here's another possibilty: If you're using CF9 and the built in AJAX functionality you can use the verifyClient attribute of CFFUNCTION to attach a security token to each request. CF will look for the token, if it doesn't see it, the request will be denied On Fri, Aug 13, 2010 at 2:17 PM, Andy Matthews li...@commadelimited.com wrote: I have a method that I'm exposing remotely. We'll be using AJAX calls to insert usability stats about a new application. I'm working through the code when I realize that since it's remote access, anyone from any site could post to it and skew our results. I'm wondering what's the best way to prevent access to this URL from any other site, or code. My first thought was to compare the current URL, dev1 for example, to the URL the request was made from, or perhaps the IP address. But I'm not sure how to get that information. Anyone have ideas? andy matthews ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336271 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Preventing use of remote method by other sites
Works perfectly Tony. I simplified the conditional tho' cfif StructKeyExists(headers,'X-Requested-With') AND headers['X-Requested-With'] EQ 'XMLHttpRequest' /cfif -Original Message- From: Tony Bentley [mailto:cascadefreehee...@gmail.com] Sent: Friday, August 13, 2010 2:55 PM To: cf-talk Subject: Re: Preventing use of remote method by other sites I use a cfc that checks to see if the method being called is from within the domain, is indeed ajax and that the method is indeed is accessed remotely, otherwise abort the request. If you are doing cross site requests, pass a unique key in your form. Is it ajax? cffunction name=isAjax access=private returntype=boolean output=false !--- all of the user management requests are going to come via ajax within the domain. if a request is not from this site and not ajax, abort the request run this check on any of the remote methods --- cfscript requestHeaders = getHTTPRequestData().headers; if(not StructKeyExists(requestHeaders, X-Requested-With)){ return false; } else if(StructFind(requestHeaders,X-Requested-With) neq XMLHttpRequest){ return false; } else{ return true; } /cfscript /cffunction ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336273 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Preventing use of remote method by other sites
Any time! Keep in mind that anyone can call your method with Ajax so you still need to verify the request (localhost or otherwise) On Fri, Aug 13, 2010 at 1:17 PM, Andy Matthews li...@commadelimited.comwrote: Oooh. That's a good idea. Since we're using it for AJAX, then make it so that it can ONLY be used as AJAX, which would prevent other sites from using it because of the cross site scripting. Great idea Tony, thanks! -Original Message- From: Tony Bentley [mailto:cascadefreehee...@gmail.com] Sent: Friday, August 13, 2010 2:55 PM To: cf-talk Subject: Re: Preventing use of remote method by other sites I use a cfc that checks to see if the method being called is from within the domain, is indeed ajax and that the method is indeed is accessed remotely, otherwise abort the request. If you are doing cross site requests, pass a unique key in your form. Is it ajax? cffunction name=isAjax access=private returntype=boolean output=false !--- all of the user management requests are going to come via ajax within the domain. if a request is not from this site and not ajax, abort the request run this check on any of the remote methods --- cfscript requestHeaders = getHTTPRequestData().headers; if(not StructKeyExists(requestHeaders, X-Requested-With)){ return false; } else if(StructFind(requestHeaders,X-Requested-With) neq XMLHttpRequest){ return false; } else{ return true; } /cfscript /cffunction Called on init: cfparam name=url.method default= cfscript accessRemote = false; cfcname = getmetadata(this); for(i=1;i lte arrayLen(cfcname.FUNCTIONS);i++){ fname = cfcname.FUNCTIONS[i]; if(fname.name eq url.method fname.access eq remote){ accessRemote = true; break; } } if(not isAjax() and not accessRemote){ abort();//this is a simple cfabort function for MX } /cfscript On Fri, Aug 13, 2010 at 11:17 AM, Andy Matthews li...@commadelimited.comwrote: I have a method that I'm exposing remotely. We'll be using AJAX calls to insert usability stats about a new application. I'm working through the code when I realize that since it's remote access, anyone from any site could post to it and skew our results. I'm wondering what's the best way to prevent access to this URL from any other site, or code. My first thought was to compare the current URL, dev1 for example, to the URL the request was made from, or perhaps the IP address. But I'm not sure how to get that information. Anyone have ideas? andy matthews ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336274 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Preventing use of remote method by other sites
But crossdomain policies would prevent it from being accessed via AJAX right? andy -Original Message- From: Tony Bentley [mailto:cascadefreehee...@gmail.com] Sent: Friday, August 13, 2010 3:33 PM To: cf-talk Subject: Re: Preventing use of remote method by other sites Any time! Keep in mind that anyone can call your method with Ajax so you still need to verify the request (localhost or otherwise) On Fri, Aug 13, 2010 at 1:17 PM, Andy Matthews li...@commadelimited.comwrote: Oooh. That's a good idea. Since we're using it for AJAX, then make it so that it can ONLY be used as AJAX, which would prevent other sites from using it because of the cross site scripting. Great idea Tony, thanks! -Original Message- From: Tony Bentley [mailto:cascadefreehee...@gmail.com] Sent: Friday, August 13, 2010 2:55 PM To: cf-talk Subject: Re: Preventing use of remote method by other sites I use a cfc that checks to see if the method being called is from within the domain, is indeed ajax and that the method is indeed is accessed remotely, otherwise abort the request. If you are doing cross site requests, pass a unique key in your form. Is it ajax? cffunction name=isAjax access=private returntype=boolean output=false !--- all of the user management requests are going to come via ajax within the domain. if a request is not from this site and not ajax, abort the request run this check on any of the remote methods --- cfscript requestHeaders = getHTTPRequestData().headers; if(not StructKeyExists(requestHeaders, X-Requested-With)){ return false; } else if(StructFind(requestHeaders,X-Requested-With) neq XMLHttpRequest){ return false; } else{ return true; } /cfscript /cffunction Called on init: cfparam name=url.method default= cfscript accessRemote = false; cfcname = getmetadata(this); for(i=1;i lte arrayLen(cfcname.FUNCTIONS);i++){ fname = cfcname.FUNCTIONS[i]; if(fname.name eq url.method fname.access eq remote){ accessRemote = true; break; } } if(not isAjax() and not accessRemote){ abort();//this is a simple cfabort function for MX } /cfscript On Fri, Aug 13, 2010 at 11:17 AM, Andy Matthews li...@commadelimited.comwrote: I have a method that I'm exposing remotely. We'll be using AJAX calls to insert usability stats about a new application. I'm working through the code when I realize that since it's remote access, anyone from any site could post to it and skew our results. I'm wondering what's the best way to prevent access to this URL from any other site, or code. My first thought was to compare the current URL, dev1 for example, to the URL the request was made from, or perhaps the IP address. But I'm not sure how to get that information. Anyone have ideas? andy matthews ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336277 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Preventing use of remote method by other sites
Yes you are right. I just wasn't sure if you were building an API or something that would require public access. On Fri, Aug 13, 2010 at 1:48 PM, Andy Matthews li...@commadelimited.comwrote: But crossdomain policies would prevent it from being accessed via AJAX right? andy -Original Message- From: Tony Bentley [mailto:cascadefreehee...@gmail.com] Sent: Friday, August 13, 2010 3:33 PM To: cf-talk Subject: Re: Preventing use of remote method by other sites Any time! Keep in mind that anyone can call your method with Ajax so you still need to verify the request (localhost or otherwise) On Fri, Aug 13, 2010 at 1:17 PM, Andy Matthews li...@commadelimited.comwrote: Oooh. That's a good idea. Since we're using it for AJAX, then make it so that it can ONLY be used as AJAX, which would prevent other sites from using it because of the cross site scripting. Great idea Tony, thanks! -Original Message- From: Tony Bentley [mailto:cascadefreehee...@gmail.com] Sent: Friday, August 13, 2010 2:55 PM To: cf-talk Subject: Re: Preventing use of remote method by other sites I use a cfc that checks to see if the method being called is from within the domain, is indeed ajax and that the method is indeed is accessed remotely, otherwise abort the request. If you are doing cross site requests, pass a unique key in your form. Is it ajax? cffunction name=isAjax access=private returntype=boolean output=false !--- all of the user management requests are going to come via ajax within the domain. if a request is not from this site and not ajax, abort the request run this check on any of the remote methods --- cfscript requestHeaders = getHTTPRequestData().headers; if(not StructKeyExists(requestHeaders, X-Requested-With)){ return false; } else if(StructFind(requestHeaders,X-Requested-With) neq XMLHttpRequest){ return false; } else{ return true; } /cfscript /cffunction Called on init: cfparam name=url.method default= cfscript accessRemote = false; cfcname = getmetadata(this); for(i=1;i lte arrayLen(cfcname.FUNCTIONS);i++){ fname = cfcname.FUNCTIONS[i]; if(fname.name eq url.method fname.access eq remote){ accessRemote = true; break; } } if(not isAjax() and not accessRemote){ abort();//this is a simple cfabort function for MX } /cfscript On Fri, Aug 13, 2010 at 11:17 AM, Andy Matthews li...@commadelimited.comwrote: I have a method that I'm exposing remotely. We'll be using AJAX calls to insert usability stats about a new application. I'm working through the code when I realize that since it's remote access, anyone from any site could post to it and skew our results. I'm wondering what's the best way to prevent access to this URL from any other site, or code. My first thought was to compare the current URL, dev1 for example, to the URL the request was made from, or perhaps the IP address. But I'm not sure how to get that information. Anyone have ideas? andy matthews ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336279 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Preventing use of remote method by other sites
Okay. Phew. This is a single CFC available on our site. andy -Original Message- From: Tony Bentley [mailto:cascadefreehee...@gmail.com] Sent: Friday, August 13, 2010 4:17 PM To: cf-talk Subject: Re: Preventing use of remote method by other sites Yes you are right. I just wasn't sure if you were building an API or something that would require public access. On Fri, Aug 13, 2010 at 1:48 PM, Andy Matthews li...@commadelimited.comwrote: But crossdomain policies would prevent it from being accessed via AJAX right? andy -Original Message- From: Tony Bentley [mailto:cascadefreehee...@gmail.com] Sent: Friday, August 13, 2010 3:33 PM To: cf-talk Subject: Re: Preventing use of remote method by other sites Any time! Keep in mind that anyone can call your method with Ajax so you still need to verify the request (localhost or otherwise) On Fri, Aug 13, 2010 at 1:17 PM, Andy Matthews li...@commadelimited.comwrote: Oooh. That's a good idea. Since we're using it for AJAX, then make it so that it can ONLY be used as AJAX, which would prevent other sites from using it because of the cross site scripting. Great idea Tony, thanks! -Original Message- From: Tony Bentley [mailto:cascadefreehee...@gmail.com] Sent: Friday, August 13, 2010 2:55 PM To: cf-talk Subject: Re: Preventing use of remote method by other sites I use a cfc that checks to see if the method being called is from within the domain, is indeed ajax and that the method is indeed is accessed remotely, otherwise abort the request. If you are doing cross site requests, pass a unique key in your form. Is it ajax? cffunction name=isAjax access=private returntype=boolean output=false !--- all of the user management requests are going to come via ajax within the domain. if a request is not from this site and not ajax, abort the request run this check on any of the remote methods --- cfscript requestHeaders = getHTTPRequestData().headers; if(not StructKeyExists(requestHeaders, X-Requested-With)){ return false; } else if(StructFind(requestHeaders,X-Requested-With) neq XMLHttpRequest){ return false; } else{ return true; } /cfscript /cffunction Called on init: cfparam name=url.method default= cfscript accessRemote = false; cfcname = getmetadata(this); for(i=1;i lte arrayLen(cfcname.FUNCTIONS);i++){ fname = cfcname.FUNCTIONS[i]; if(fname.name eq url.method fname.access eq remote){ accessRemote = true; break; } } if(not isAjax() and not accessRemote){ abort();//this is a simple cfabort function for MX } /cfscript On Fri, Aug 13, 2010 at 11:17 AM, Andy Matthews li...@commadelimited.comwrote: I have a method that I'm exposing remotely. We'll be using AJAX calls to insert usability stats about a new application. I'm working through the code when I realize that since it's remote access, anyone from any site could post to it and skew our results. I'm wondering what's the best way to prevent access to this URL from any other site, or code. My first thought was to compare the current URL, dev1 for example, to the URL the request was made from, or perhaps the IP address. But I'm not sure how to get that information. Anyone have ideas? andy matthews ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336280 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm