Is there a vulnerability if users are allowed to call any URL from your hosted website?











up vote
0
down vote

favorite












I am developing a website in which one functionality allows users to give any URL which will be then converted into ajax request and called. This can happen through GET or POST methods but only through client side javascript. The URL will be requested from the client side only.



What issues can arise because of this? What are some ways in which this can be seen as a vulnerability for the web application?



An example Javascript function for what I am trying to do :



function sendPostRequest(url, callback)
{
$.ajax({
type : "POST",
url : url,
success: callback
});
}


Here url is got from user input.










share|improve this question







New contributor




Perceo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
























    up vote
    0
    down vote

    favorite












    I am developing a website in which one functionality allows users to give any URL which will be then converted into ajax request and called. This can happen through GET or POST methods but only through client side javascript. The URL will be requested from the client side only.



    What issues can arise because of this? What are some ways in which this can be seen as a vulnerability for the web application?



    An example Javascript function for what I am trying to do :



    function sendPostRequest(url, callback)
    {
    $.ajax({
    type : "POST",
    url : url,
    success: callback
    });
    }


    Here url is got from user input.










    share|improve this question







    New contributor




    Perceo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.






















      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I am developing a website in which one functionality allows users to give any URL which will be then converted into ajax request and called. This can happen through GET or POST methods but only through client side javascript. The URL will be requested from the client side only.



      What issues can arise because of this? What are some ways in which this can be seen as a vulnerability for the web application?



      An example Javascript function for what I am trying to do :



      function sendPostRequest(url, callback)
      {
      $.ajax({
      type : "POST",
      url : url,
      success: callback
      });
      }


      Here url is got from user input.










      share|improve this question







      New contributor




      Perceo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      I am developing a website in which one functionality allows users to give any URL which will be then converted into ajax request and called. This can happen through GET or POST methods but only through client side javascript. The URL will be requested from the client side only.



      What issues can arise because of this? What are some ways in which this can be seen as a vulnerability for the web application?



      An example Javascript function for what I am trying to do :



      function sendPostRequest(url, callback)
      {
      $.ajax({
      type : "POST",
      url : url,
      success: callback
      });
      }


      Here url is got from user input.







      javascript jquery ajax






      share|improve this question







      New contributor




      Perceo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question







      New contributor




      Perceo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question






      New contributor




      Perceo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 11 mins ago









      Perceo

      1




      1




      New contributor




      Perceo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      Perceo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      Perceo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.



























          active

          oldest

          votes











          Your Answer





          StackExchange.ifUsing("editor", function () {
          return StackExchange.using("mathjaxEditing", function () {
          StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
          StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["\$", "\$"]]);
          });
          });
          }, "mathjax-editing");

          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "196"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });






          Perceo is a new contributor. Be nice, and check out our Code of Conduct.










          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f209260%2fis-there-a-vulnerability-if-users-are-allowed-to-call-any-url-from-your-hosted-w%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown






























          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          Perceo is a new contributor. Be nice, and check out our Code of Conduct.










          draft saved

          draft discarded


















          Perceo is a new contributor. Be nice, and check out our Code of Conduct.













          Perceo is a new contributor. Be nice, and check out our Code of Conduct.












          Perceo is a new contributor. Be nice, and check out our Code of Conduct.
















          Thanks for contributing an answer to Code Review Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          Use MathJax to format equations. MathJax reference.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f209260%2fis-there-a-vulnerability-if-users-are-allowed-to-call-any-url-from-your-hosted-w%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          404 Error Contact Form 7 ajax form submitting

          How to know if a Active Directory user can login interactively

          Refactoring coordinates for Minecraft Pi buildings written in Python