•  03-07-2022
  •  | 
  •  

Question

I am developing a quiz web application and in a dilemma whether to use ajax or complete postback to evaluate the user's answers.

The user types in the answer in a textbox and clicks submit button for each question. The answer should be evaluated and the result (right/wrong) should be presented to the user immediately.

Naturally ajax would be the more user-friendly way of dealing with this but should i be worried about brute-force/dictionary attacks?

Which is more vulnerable to these attacks?

And how can i prevent this?

Was it helpful?

Solution

In terms of vulnerability to attacks; both methods would be the same. An ajax request is the same as a postback, but it is done through javascript and as such only a small portion of the page needs to be updated/reloaded as required.

For you issue; If the user is not permitted to make multiple attempts simply register the first response as final. If they are permitted multiple attempts; then limit the total number of attempts they can have.

If neither of the above is an option, then the user can always brute force.

OTHER TIPS

I just would like to add another approach about what @kami wrote, you can also track requests per client and display a captcha after any "N" number of requests during a determinated period of time, that solution is pretty standard that´s something I've saw in several sites.

if you ask to me I would prefer an ajax call vs a full postback definetely.

I should use ajax it looks smoother for the end user Better feeling/experience for the user

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top