Security during pass parameter value by ajax client side

Question

Recently i'm implementing a ERP module.i have written a .asmx web service for the total database operation.and all aspx page i want to call those web method written in that web service using ajax client side call.Everyone says that client side call is good than a service side call method.As client side call is more fast than a server side call operation. But i have a Question regarding security of my data. 1>Can a hacker change the parameters of the during call the web method ? 2>Is there any secure way to send data through ajax call?Any encription/Decription Technique??

Nitin Sontakke · Answer

As a formality please accept one of the replies as an accepted answer. Thank you!

Abhisek Das · Answer

Thanks all of you.. :)

Bikesh Srivastava · Answer

Hi =>No any hacker can not change. => already ajax is secure anyways this is managed by browser. so don't worry about that.

Nitin Sontakke · Answer

How? It's all happening on server side. If it is not clear to you please do let me know.

Abhisek Das · Answer

Hi Nitin Sir Thanks For You sugesstionIts helpfull. But one thing that can a hackers see my encryption key??

Nitin Sontakke · Answer

It would have been helpful if you had give a sample call. In any case let me try to convey what I have in my mind. See if help resolve the issue. Typically you would want to hide key information for example customer Id etc. The information you are showing on page is been compromised with anyway so let us not talk about that. While sending this customer id to client itself you should encrypt it and decrypt it on receiving it again from client. For example your real customer id 501 would look something like FxJ3+}K on view page source. One more thing i often suggest is to give strange parameter names. For example: we wanted to send if user has read / write / execute /delete rights. But we named parameters as bottomLeft bottomRight topLeft and topRight. So only we know what it all means. Others can only keep on guessing. You don't have to name parameter Customer id as customer id you can call it SuperNova for example. Hope it helps!

Midhun T P · Answer

Hi If you are using webservice then you can add reference of it in your project and call methods from server side. Right? It is the much preferred way of calling webservices. Why you prefer to call it from client side?

Abhisek Das · Answer

Then can You suggest me what is the best way to call the web method? 1)By encryption-decryption technique pass the value or 2)shift to on server call method?

Midhun T P · Answer

Hi As per my knowledge there is no way you can hide your informations on a client side call. Ofcourse you can pass data in a encrypted form. But encryption should be done from server side as if it is from client side then hackers can easily understand the encryption logic and manipulate the same. If you are having much sensible data then it is better to go with server side call. Please go through below links as well - http://www.codeproject.com/Articles/1121259/How-to-make-secure-AJAX-call