RE: Preventing use of remote method by other sites
I doubt anyone's going to care to mess with it This assumption all depends on the average age of the visitors to the website and the possible gain there is in messing with it. In my experience the lower the age of the visitors the less actual gain is needed to inspire them to mess with it. We run several video game based websites where the average age of visitors is 14-18 years of age and they will mess with anything and everything for no apparent reason. I have even placed dummy ajax pages online that actually do nothing to the site data and they will spend hours, days and sometimes weeks submitting data to them just to see what they will do. Assume that it will be messed with and evaluate the need to keep the data correct with the cost to make it so. Dennis Powers UXB Internet - A Website Design Hosting Company P.O. Box 6028 Wolcott, CT 06716 203-879-2844 http://www.uxbinternet.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336423 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Preventing use of remote method by other sites
I'm with Ray here, glad to see I'm not the only one that thinks like that. Just because it's unlikely doesn't mean you shouldn't protect yourself against unlikely attacks. It's pretty much impossible to protect a remote method from being called by anyone who wants to call it. If they're trying to call it directly, and they've got a little time on their hands, they can bypass a lot of the suggested methods of protection quite easily. If you've got a CFC method with remote access, and it doesn't require authentication, then you have to ask yourself What could someone do with this that I might not want them to? Even if it requires that the user be authenticated, a malicious user could hit your site with a browser, authenticate, then grab the cookie information and write a script to duplicate that cookie information and browser agent and everything, and you'd have ZERO clue he was doing it via cfhttp or perl or whatever. There are all kinds of ways to take it one step further of course, but if you're ticketmaster or facebook, then hackers are going to spend time and resources figuring out how to get ahead of you for even a minute. Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336424 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Preventing use of remote method by other sites
and there lies the problem... many people will believe that this is a secure method of preventing access to something, all it does is make it more difficult, it certainly doesn't make it secure. I'm not going to elaborate on how this can be bypassed as several previous comments have already alluded to this possibility already - capturing cookies and ucing cfhttp etc. Basically any ajax call should be protected like any other http call, ajax is simply another type of http call its not magic. If your script is using sessions (hence cookies) and you detect something odd going on I would follow the philosophy of being guilty until proven innocent ie if you suspect something automatically log that user/session out (ban them) and ask questions later. It goes without saying that you need to log/record all http calls that appear outside a strict set of rules for that cfc/function. here's another possibilty: If you're using CF9 and the built in AJAX functionality you can use the verifyClient attribute of CFFUNCTION to attach a security token to each request. CF will look for the token, if it doesn't see it, the request will be denied ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336435 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Preventing use of remote method by other sites
Don't forget you can easily set those headers yourself. I could setup
cfhttp to use that header and hit your resource.
On Fri, Aug 13, 2010 at 3:31 PM, Andy Matthews li...@commadelimited.com wrote:
Works perfectly Tony. I simplified the conditional tho'
cfif StructKeyExists(headers,'X-Requested-With') AND
headers['X-Requested-With'] EQ 'XMLHttpRequest'
/cfif
-Original Message-
From: Tony Bentley [mailto:cascadefreehee...@gmail.com]
Sent: Friday, August 13, 2010 2:55 PM
To: cf-talk
Subject: Re: Preventing use of remote method by other sites
I use a cfc that checks to see if the method being called is from within the
domain, is indeed ajax and that the method is indeed is accessed remotely,
otherwise abort the request. If you are doing cross site requests, pass a
unique key in your form.
Is it ajax?
cffunction name=isAjax access=private returntype=boolean
output=false
!---
all of the user management requests are going to come via ajax
within the domain.
if a request is not from this site and not ajax, abort the request
run this check on any of the remote methods
---
cfscript
requestHeaders = getHTTPRequestData().headers;
if(not StructKeyExists(requestHeaders, X-Requested-With)){
return false;
}
else if(StructFind(requestHeaders,X-Requested-With) neq
XMLHttpRequest){
return false;
}
else{
return true;
}
/cfscript
/cffunction
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336296
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Preventing use of remote method by other sites
Yes, but would you know TO do that? andy -Original Message- From: Raymond Camden [mailto:rcam...@gmail.com] Sent: Monday, August 16, 2010 11:30 AM To: cf-talk Subject: Re: Preventing use of remote method by other sites Don't forget you can easily set those headers yourself. I could setup cfhttp to use that header and hit your resource. On Fri, Aug 13, 2010 at 3:31 PM, Andy Matthews li...@commadelimited.com wrote: Works perfectly Tony. I simplified the conditional tho' cfif StructKeyExists(headers,'X-Requested-With') AND headers['X-Requested-With'] EQ 'XMLHttpRequest' /cfif ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336297 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Preventing use of remote method by other sites
Sorry - what? Oh - are you asking if I would know to use that vector? If I run your site and see a request made via XHR to foo.cfm, and then I try to run it myself in another tab and get blocked, then yes, I would consider that. And I'm a Script Kiddy Hacker so I assume the real guys would try it too. Shoot - I almost always try the URLs I see in Firebug/Chrome Dev tools. I'm not trying to be malicious of course. Just poking around. On Mon, Aug 16, 2010 at 11:34 AM, Andy Matthews li...@commadelimited.com wrote: Yes, but would you know TO do that? andy -Original Message- From: Raymond Camden [mailto:rcam...@gmail.com] Sent: Monday, August 16, 2010 11:30 AM To: cf-talk Subject: Re: Preventing use of remote method by other sites Don't forget you can easily set those headers yourself. I could setup cfhttp to use that header and hit your resource. On Fri, Aug 13, 2010 at 3:31 PM, Andy Matthews li...@commadelimited.com wrote: Works perfectly Tony. I simplified the conditional tho' cfif StructKeyExists(headers,'X-Requested-With') AND headers['X-Requested-With'] EQ 'XMLHttpRequest' /cfif ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336298 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Preventing use of remote method by other sites
Right. I know that. Good point though. I suppose I could get our JS guy to also pass in a session id. Then I could compare that with the actual session ID for the user and go from there. -Original Message- From: Raymond Camden [mailto:rcam...@gmail.com] Sent: Monday, August 16, 2010 11:42 AM To: cf-talk Subject: Re: Preventing use of remote method by other sites Sorry - what? Oh - are you asking if I would know to use that vector? If I run your site and see a request made via XHR to foo.cfm, and then I try to run it myself in another tab and get blocked, then yes, I would consider that. And I'm a Script Kiddy Hacker so I assume the real guys would try it too. Shoot - I almost always try the URLs I see in Firebug/Chrome Dev tools. I'm not trying to be malicious of course. Just poking around. On Mon, Aug 16, 2010 at 11:34 AM, Andy Matthews li...@commadelimited.com wrote: Yes, but would you know TO do that? andy -Original Message- From: Raymond Camden [mailto:rcam...@gmail.com] Sent: Monday, August 16, 2010 11:30 AM To: cf-talk Subject: Re: Preventing use of remote method by other sites Don't forget you can easily set those headers yourself. I could setup cfhttp to use that header and hit your resource. On Fri, Aug 13, 2010 at 3:31 PM, Andy Matthews li...@commadelimited.com wrote: Works perfectly Tony. I simplified the conditional tho' cfif StructKeyExists(headers,'X-Requested-With') AND headers['X-Requested-With'] EQ 'XMLHttpRequest' /cfif ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336299 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Preventing use of remote method by other sites
Which can also be done via CFHTTP as well. ;) Not trying to be a jerk here - but the fact is, there is no (afaik) 100% way to say that a URL is ajax only. On Mon, Aug 16, 2010 at 11:51 AM, Andy Matthews li...@commadelimited.com wrote: Right. I know that. Good point though. I suppose I could get our JS guy to also pass in a session id. Then I could compare that with the actual session ID for the user and go from there. -Original Message- From: Raymond Camden [mailto:rcam...@gmail.com] Sent: Monday, August 16, 2010 11:42 AM To: cf-talk Subject: Re: Preventing use of remote method by other sites Sorry - what? Oh - are you asking if I would know to use that vector? If I run your site and see a request made via XHR to foo.cfm, and then I try to run it myself in another tab and get blocked, then yes, I would consider that. And I'm a Script Kiddy Hacker so I assume the real guys would try it too. Shoot - I almost always try the URLs I see in Firebug/Chrome Dev tools. I'm not trying to be malicious of course. Just poking around. On Mon, Aug 16, 2010 at 11:34 AM, Andy Matthews li...@commadelimited.com wrote: Yes, but would you know TO do that? andy -Original Message- From: Raymond Camden [mailto:rcam...@gmail.com] Sent: Monday, August 16, 2010 11:30 AM To: cf-talk Subject: Re: Preventing use of remote method by other sites Don't forget you can easily set those headers yourself. I could setup cfhttp to use that header and hit your resource. On Fri, Aug 13, 2010 at 3:31 PM, Andy Matthews li...@commadelimited.com wrote: Works perfectly Tony. I simplified the conditional tho' cfif StructKeyExists(headers,'X-Requested-With') AND headers['X-Requested-With'] EQ 'XMLHttpRequest' /cfif ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336301 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Preventing use of remote method by other sites
You're not being a jerk. Those are all good points. I doubt anyone's going to care to mess with it. Even if they do, the most that will happen is that one site's usability stats get inflated. andy -Original Message- From: Raymond Camden [mailto:rcam...@gmail.com] Sent: Monday, August 16, 2010 12:41 PM To: cf-talk Subject: Re: Preventing use of remote method by other sites Which can also be done via CFHTTP as well. ;) Not trying to be a jerk here - but the fact is, there is no (afaik) 100% way to say that a URL is ajax only. On Mon, Aug 16, 2010 at 11:51 AM, Andy Matthews li...@commadelimited.com wrote: Right. I know that. Good point though. I suppose I could get our JS guy to also pass in a session id. Then I could compare that with the actual session ID for the user and go from there. -Original Message- From: Raymond Camden [mailto:rcam...@gmail.com] Sent: Monday, August 16, 2010 11:42 AM To: cf-talk Subject: Re: Preventing use of remote method by other sites Sorry - what? Oh - are you asking if I would know to use that vector? If I run your site and see a request made via XHR to foo.cfm, and then I try to run it myself in another tab and get blocked, then yes, I would consider that. And I'm a Script Kiddy Hacker so I assume the real guys would try it too. Shoot - I almost always try the URLs I see in Firebug/Chrome Dev tools. I'm not trying to be malicious of course. Just poking around. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336303 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Preventing use of remote method by other sites
Hi, I would instantiate a session variable on begin of calling page, add it to the parameters when calling the function, and then just check in the remote function if the one given via parameter matches the one from session scope. Regards, Stephan I have a method that I'm exposing remotely. We'll be using AJAX calls to insert usability stats about a new application. I'm working through the code when I realize that since it's remote access, anyone from any site could post to it and skew our results. I'm wondering what's the best way to prevent access to this URL from any other site, or code. My first thought was to compare the current URL, dev1 for example, to the URL the request was made from, or perhaps the IP address. But I'm not sure how to get that information. Anyone have ideas? andy matthews ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336261 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Preventing use of remote method by other sites
I use a cfc that checks to see if the method being called is from within the
domain, is indeed ajax and that the method is indeed is accessed remotely,
otherwise abort the request. If you are doing cross site requests, pass a
unique key in your form.
Is it ajax?
cffunction name=isAjax access=private returntype=boolean
output=false
!---
all of the user management requests are going to come via ajax
within the domain.
if a request is not from this site and not ajax, abort the request
run this check on any of the remote methods
---
cfscript
requestHeaders = getHTTPRequestData().headers;
if(not StructKeyExists(requestHeaders, X-Requested-With)){
return false;
}
else if(StructFind(requestHeaders,X-Requested-With) neq
XMLHttpRequest){
return false;
}
else{
return true;
}
/cfscript
/cffunction
Called on init:
cfparam name=url.method default=
cfscript
accessRemote = false;
cfcname = getmetadata(this);
for(i=1;i lte arrayLen(cfcname.FUNCTIONS);i++){
fname = cfcname.FUNCTIONS[i];
if(fname.name eq url.method fname.access eq remote){
accessRemote = true;
break;
}
}
if(not isAjax() and not accessRemote){
abort();//this is a simple cfabort function for MX
}
/cfscript
On Fri, Aug 13, 2010 at 11:17 AM, Andy Matthews li...@commadelimited.comwrote:
I have a method that I'm exposing remotely. We'll be using AJAX calls to
insert usability stats about a new application. I'm working through the code
when I realize that since it's remote access, anyone from any site could
post to it and skew our results.
I'm wondering what's the best way to prevent access to this URL from any
other site, or code. My first thought was to compare the current URL, dev1
for example, to the URL the request was made from, or perhaps the IP
address. But I'm not sure how to get that information.
Anyone have ideas?
andy matthews
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336268
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Preventing use of remote method by other sites
Oooh. That's a good idea. Since we're using it for AJAX, then make it so
that it can ONLY be used as AJAX, which would prevent other sites from using
it because of the cross site scripting.
Great idea Tony, thanks!
-Original Message-
From: Tony Bentley [mailto:cascadefreehee...@gmail.com]
Sent: Friday, August 13, 2010 2:55 PM
To: cf-talk
Subject: Re: Preventing use of remote method by other sites
I use a cfc that checks to see if the method being called is from within the
domain, is indeed ajax and that the method is indeed is accessed remotely,
otherwise abort the request. If you are doing cross site requests, pass a
unique key in your form.
Is it ajax?
cffunction name=isAjax access=private returntype=boolean
output=false
!---
all of the user management requests are going to come via ajax
within the domain.
if a request is not from this site and not ajax, abort the request
run this check on any of the remote methods
---
cfscript
requestHeaders = getHTTPRequestData().headers;
if(not StructKeyExists(requestHeaders, X-Requested-With)){
return false;
}
else if(StructFind(requestHeaders,X-Requested-With) neq
XMLHttpRequest){
return false;
}
else{
return true;
}
/cfscript
/cffunction
Called on init:
cfparam name=url.method default=
cfscript
accessRemote = false;
cfcname = getmetadata(this);
for(i=1;i lte arrayLen(cfcname.FUNCTIONS);i++){
fname = cfcname.FUNCTIONS[i];
if(fname.name eq url.method fname.access eq remote){
accessRemote = true;
break;
}
}
if(not isAjax() and not accessRemote){
abort();//this is a simple cfabort function for MX
}
/cfscript
On Fri, Aug 13, 2010 at 11:17 AM, Andy Matthews
li...@commadelimited.comwrote:
I have a method that I'm exposing remotely. We'll be using AJAX calls
to insert usability stats about a new application. I'm working through
the code when I realize that since it's remote access, anyone from any
site could post to it and skew our results.
I'm wondering what's the best way to prevent access to this URL from
any other site, or code. My first thought was to compare the current
URL, dev1 for example, to the URL the request was made from, or
perhaps the IP address. But I'm not sure how to get that information.
Anyone have ideas?
andy matthews
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336269
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Preventing use of remote method by other sites
here's another possibilty: If you're using CF9 and the built in AJAX functionality you can use the verifyClient attribute of CFFUNCTION to attach a security token to each request. CF will look for the token, if it doesn't see it, the request will be denied On Fri, Aug 13, 2010 at 2:17 PM, Andy Matthews li...@commadelimited.com wrote: I have a method that I'm exposing remotely. We'll be using AJAX calls to insert usability stats about a new application. I'm working through the code when I realize that since it's remote access, anyone from any site could post to it and skew our results. I'm wondering what's the best way to prevent access to this URL from any other site, or code. My first thought was to compare the current URL, dev1 for example, to the URL the request was made from, or perhaps the IP address. But I'm not sure how to get that information. Anyone have ideas? andy matthews ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336271 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Preventing use of remote method by other sites
Works perfectly Tony. I simplified the conditional tho'
cfif StructKeyExists(headers,'X-Requested-With') AND
headers['X-Requested-With'] EQ 'XMLHttpRequest'
/cfif
-Original Message-
From: Tony Bentley [mailto:cascadefreehee...@gmail.com]
Sent: Friday, August 13, 2010 2:55 PM
To: cf-talk
Subject: Re: Preventing use of remote method by other sites
I use a cfc that checks to see if the method being called is from within the
domain, is indeed ajax and that the method is indeed is accessed remotely,
otherwise abort the request. If you are doing cross site requests, pass a
unique key in your form.
Is it ajax?
cffunction name=isAjax access=private returntype=boolean
output=false
!---
all of the user management requests are going to come via ajax
within the domain.
if a request is not from this site and not ajax, abort the request
run this check on any of the remote methods
---
cfscript
requestHeaders = getHTTPRequestData().headers;
if(not StructKeyExists(requestHeaders, X-Requested-With)){
return false;
}
else if(StructFind(requestHeaders,X-Requested-With) neq
XMLHttpRequest){
return false;
}
else{
return true;
}
/cfscript
/cffunction
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336273
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Preventing use of remote method by other sites
Any time!
Keep in mind that anyone can call your method with Ajax so you still need to
verify the request (localhost or otherwise)
On Fri, Aug 13, 2010 at 1:17 PM, Andy Matthews li...@commadelimited.comwrote:
Oooh. That's a good idea. Since we're using it for AJAX, then make it so
that it can ONLY be used as AJAX, which would prevent other sites from
using
it because of the cross site scripting.
Great idea Tony, thanks!
-Original Message-
From: Tony Bentley [mailto:cascadefreehee...@gmail.com]
Sent: Friday, August 13, 2010 2:55 PM
To: cf-talk
Subject: Re: Preventing use of remote method by other sites
I use a cfc that checks to see if the method being called is from within
the
domain, is indeed ajax and that the method is indeed is accessed remotely,
otherwise abort the request. If you are doing cross site requests, pass a
unique key in your form.
Is it ajax?
cffunction name=isAjax access=private returntype=boolean
output=false
!---
all of the user management requests are going to come via ajax
within the domain.
if a request is not from this site and not ajax, abort the request
run this check on any of the remote methods
---
cfscript
requestHeaders = getHTTPRequestData().headers;
if(not StructKeyExists(requestHeaders, X-Requested-With)){
return false;
}
else if(StructFind(requestHeaders,X-Requested-With) neq
XMLHttpRequest){
return false;
}
else{
return true;
}
/cfscript
/cffunction
Called on init:
cfparam name=url.method default=
cfscript
accessRemote = false;
cfcname = getmetadata(this);
for(i=1;i lte arrayLen(cfcname.FUNCTIONS);i++){
fname = cfcname.FUNCTIONS[i];
if(fname.name eq url.method fname.access eq remote){
accessRemote = true;
break;
}
}
if(not isAjax() and not accessRemote){
abort();//this is a simple cfabort function for MX
}
/cfscript
On Fri, Aug 13, 2010 at 11:17 AM, Andy Matthews
li...@commadelimited.comwrote:
I have a method that I'm exposing remotely. We'll be using AJAX calls
to insert usability stats about a new application. I'm working through
the code when I realize that since it's remote access, anyone from any
site could post to it and skew our results.
I'm wondering what's the best way to prevent access to this URL from
any other site, or code. My first thought was to compare the current
URL, dev1 for example, to the URL the request was made from, or
perhaps the IP address. But I'm not sure how to get that information.
Anyone have ideas?
andy matthews
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336274
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Preventing use of remote method by other sites
But crossdomain policies would prevent it from being accessed via AJAX
right?
andy
-Original Message-
From: Tony Bentley [mailto:cascadefreehee...@gmail.com]
Sent: Friday, August 13, 2010 3:33 PM
To: cf-talk
Subject: Re: Preventing use of remote method by other sites
Any time!
Keep in mind that anyone can call your method with Ajax so you still need to
verify the request (localhost or otherwise)
On Fri, Aug 13, 2010 at 1:17 PM, Andy Matthews
li...@commadelimited.comwrote:
Oooh. That's a good idea. Since we're using it for AJAX, then make it
so that it can ONLY be used as AJAX, which would prevent other sites
from using it because of the cross site scripting.
Great idea Tony, thanks!
-Original Message-
From: Tony Bentley [mailto:cascadefreehee...@gmail.com]
Sent: Friday, August 13, 2010 2:55 PM
To: cf-talk
Subject: Re: Preventing use of remote method by other sites
I use a cfc that checks to see if the method being called is from
within the domain, is indeed ajax and that the method is indeed is
accessed remotely, otherwise abort the request. If you are doing cross
site requests, pass a unique key in your form.
Is it ajax?
cffunction name=isAjax access=private returntype=boolean
output=false
!---
all of the user management requests are going to come via ajax
within the domain.
if a request is not from this site and not ajax, abort the request
run this check on any of the remote methods
---
cfscript
requestHeaders = getHTTPRequestData().headers;
if(not StructKeyExists(requestHeaders, X-Requested-With)){
return false;
}
else if(StructFind(requestHeaders,X-Requested-With) neq
XMLHttpRequest){
return false;
}
else{
return true;
}
/cfscript
/cffunction
Called on init:
cfparam name=url.method default=
cfscript
accessRemote = false;
cfcname = getmetadata(this);
for(i=1;i lte arrayLen(cfcname.FUNCTIONS);i++){
fname = cfcname.FUNCTIONS[i];
if(fname.name eq url.method fname.access eq remote){
accessRemote = true;
break;
}
}
if(not isAjax() and not accessRemote){
abort();//this is a simple cfabort function for MX
}
/cfscript
On Fri, Aug 13, 2010 at 11:17 AM, Andy Matthews
li...@commadelimited.comwrote:
I have a method that I'm exposing remotely. We'll be using AJAX
calls to insert usability stats about a new application. I'm working
through the code when I realize that since it's remote access,
anyone from any site could post to it and skew our results.
I'm wondering what's the best way to prevent access to this URL from
any other site, or code. My first thought was to compare the current
URL, dev1 for example, to the URL the request was made from, or
perhaps the IP address. But I'm not sure how to get that information.
Anyone have ideas?
andy matthews
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336277
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Preventing use of remote method by other sites
Yes you are right. I just wasn't sure if you were building an API or
something that would require public access.
On Fri, Aug 13, 2010 at 1:48 PM, Andy Matthews li...@commadelimited.comwrote:
But crossdomain policies would prevent it from being accessed via AJAX
right?
andy
-Original Message-
From: Tony Bentley [mailto:cascadefreehee...@gmail.com]
Sent: Friday, August 13, 2010 3:33 PM
To: cf-talk
Subject: Re: Preventing use of remote method by other sites
Any time!
Keep in mind that anyone can call your method with Ajax so you still need
to
verify the request (localhost or otherwise)
On Fri, Aug 13, 2010 at 1:17 PM, Andy Matthews
li...@commadelimited.comwrote:
Oooh. That's a good idea. Since we're using it for AJAX, then make it
so that it can ONLY be used as AJAX, which would prevent other sites
from using it because of the cross site scripting.
Great idea Tony, thanks!
-Original Message-
From: Tony Bentley [mailto:cascadefreehee...@gmail.com]
Sent: Friday, August 13, 2010 2:55 PM
To: cf-talk
Subject: Re: Preventing use of remote method by other sites
I use a cfc that checks to see if the method being called is from
within the domain, is indeed ajax and that the method is indeed is
accessed remotely, otherwise abort the request. If you are doing cross
site requests, pass a unique key in your form.
Is it ajax?
cffunction name=isAjax access=private returntype=boolean
output=false
!---
all of the user management requests are going to come via ajax
within the domain.
if a request is not from this site and not ajax, abort the request
run this check on any of the remote methods
---
cfscript
requestHeaders = getHTTPRequestData().headers;
if(not StructKeyExists(requestHeaders, X-Requested-With)){
return false;
}
else if(StructFind(requestHeaders,X-Requested-With) neq
XMLHttpRequest){
return false;
}
else{
return true;
}
/cfscript
/cffunction
Called on init:
cfparam name=url.method default=
cfscript
accessRemote = false;
cfcname = getmetadata(this);
for(i=1;i lte arrayLen(cfcname.FUNCTIONS);i++){
fname = cfcname.FUNCTIONS[i];
if(fname.name eq url.method fname.access eq remote){
accessRemote = true;
break;
}
}
if(not isAjax() and not accessRemote){
abort();//this is a simple cfabort function for MX
}
/cfscript
On Fri, Aug 13, 2010 at 11:17 AM, Andy Matthews
li...@commadelimited.comwrote:
I have a method that I'm exposing remotely. We'll be using AJAX
calls to insert usability stats about a new application. I'm working
through the code when I realize that since it's remote access,
anyone from any site could post to it and skew our results.
I'm wondering what's the best way to prevent access to this URL from
any other site, or code. My first thought was to compare the current
URL, dev1 for example, to the URL the request was made from, or
perhaps the IP address. But I'm not sure how to get that information.
Anyone have ideas?
andy matthews
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336279
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Preventing use of remote method by other sites
Okay. Phew. This is a single CFC available on our site.
andy
-Original Message-
From: Tony Bentley [mailto:cascadefreehee...@gmail.com]
Sent: Friday, August 13, 2010 4:17 PM
To: cf-talk
Subject: Re: Preventing use of remote method by other sites
Yes you are right. I just wasn't sure if you were building an API or
something that would require public access.
On Fri, Aug 13, 2010 at 1:48 PM, Andy Matthews
li...@commadelimited.comwrote:
But crossdomain policies would prevent it from being accessed via AJAX
right?
andy
-Original Message-
From: Tony Bentley [mailto:cascadefreehee...@gmail.com]
Sent: Friday, August 13, 2010 3:33 PM
To: cf-talk
Subject: Re: Preventing use of remote method by other sites
Any time!
Keep in mind that anyone can call your method with Ajax so you still
need to verify the request (localhost or otherwise)
On Fri, Aug 13, 2010 at 1:17 PM, Andy Matthews
li...@commadelimited.comwrote:
Oooh. That's a good idea. Since we're using it for AJAX, then make
it so that it can ONLY be used as AJAX, which would prevent other
sites from using it because of the cross site scripting.
Great idea Tony, thanks!
-Original Message-
From: Tony Bentley [mailto:cascadefreehee...@gmail.com]
Sent: Friday, August 13, 2010 2:55 PM
To: cf-talk
Subject: Re: Preventing use of remote method by other sites
I use a cfc that checks to see if the method being called is from
within the domain, is indeed ajax and that the method is indeed is
accessed remotely, otherwise abort the request. If you are doing
cross site requests, pass a unique key in your form.
Is it ajax?
cffunction name=isAjax access=private returntype=boolean
output=false
!---
all of the user management requests are going to come via
ajax within the domain.
if a request is not from this site and not ajax, abort the
request
run this check on any of the remote methods
---
cfscript
requestHeaders = getHTTPRequestData().headers;
if(not StructKeyExists(requestHeaders, X-Requested-With)){
return false;
}
else if(StructFind(requestHeaders,X-Requested-With) neq
XMLHttpRequest){
return false;
}
else{
return true;
}
/cfscript
/cffunction
Called on init:
cfparam name=url.method default=
cfscript
accessRemote = false;
cfcname = getmetadata(this);
for(i=1;i lte arrayLen(cfcname.FUNCTIONS);i++){
fname = cfcname.FUNCTIONS[i];
if(fname.name eq url.method fname.access eq remote){
accessRemote = true;
break;
}
}
if(not isAjax() and not accessRemote){
abort();//this is a simple cfabort function for MX
}
/cfscript
On Fri, Aug 13, 2010 at 11:17 AM, Andy Matthews
li...@commadelimited.comwrote:
I have a method that I'm exposing remotely. We'll be using AJAX
calls to insert usability stats about a new application. I'm
working through the code when I realize that since it's remote
access, anyone from any site could post to it and skew our results.
I'm wondering what's the best way to prevent access to this URL
from any other site, or code. My first thought was to compare the
current URL, dev1 for example, to the URL the request was made
from, or perhaps the IP address. But I'm not sure how to get that
information.
Anyone have ideas?
andy matthews
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336280
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
