How do I make sure the data sent to WebService using jQuery AJAX is through my site and not some attack

Question

My Code:

 function HandleSignUp() {
    var CurrentURL = document.URL;
    var obj, val;
    //ajax call started
    $.ajax({
        type: "POST",
        url: "../../webservice/GetAjaxDataWebService.asmx/RegisterNewUser",
        data: "{'UserFullName': '" + $('#SignUpName').val() + "','Email': '" + $('#SignUpEmail').val() + "','Password': '" + $('#SignUpPassword').val() + "'}",
        contentType: "application/json; charset=utf-8",
        dataType: "json",
        success: function (msg) {
            //msg.d contains the return value from web service call
            $.colorbox.close();

            val = eval(msg);
            obj = jQuery.parseJSON(val.d);

            UpdateLogin(obj.Email, obj.FirstName);

        }
    });
    //ajax call ended
}

How do I make sure the data sent to WebService using jQuery AJAX is through my site and not some attack.

I have a similar ajax call for Login, where I pass userid and password to a webservice and authenticate.

Is there a way to have a one time request-response token to make sure its a valid web service call.

Let me know if my question is not clear.

Answer 1

You could implement a lightweight MAC-ing mechanism using a Hash Key (known only to you)

1. Before each call to the webservice feed the first n bytes of your message payload to the hash key and compute a hash value.
2. Make the call to your webservice, sending the hash value in an http header (I recommend the authorization header, you can create a custom header tho.
3. In your webservice, before honouring any service request, you verify the authenticity of the message by computing the hashvalue using the same data i.e. the first N bytes and compare with the hash value in the authorization header. Honour the request only if the value checks out.

There is a little processing overhead here and it assumes that the transmission is happening over a secure line, otherwise, the message could still be hijacked. But you solve the problem of bogus calls.

Answer 2

Sessions might be the easiest solution to this problem, depending on your server framework.

After a successful login, open a session on the server and set a value; check for the session value before processing any of your other web service APIs.