[Owasp-leaders] Security101 - Are .NET ASMX WebServices vulnerable to CSRF

dinis cruz dinis.cruz at owasp.org
Thu Feb 9 15:17:29 UTC 2012 

Meanwhile... lets also have a nice technical thread :)

Ok, so here is a question from a developer (me) who is working on a product
and has a security question that it needs help, which I believe is scenario
we want to cover with our security101 list (still being set-up).

*Question: "Are .NET ASMX WebServices vulnerable to CSRF by default?"*
*
*
There is very few 'specific' information out there about this, which is
surprising because if they are, then there would be a LOT of webservices
out there who would be vulnerable to it

I've asked this question on the OWASP-DotNet list (see
http://lists.owasp.org/pipermail/owasp-dotnet/2012-February/thread.html)
and on the Security StackExchange (see
http://security.stackexchange.com/questions/11355/are-net-webservices-vulnerable-to-csrf),
but so far I don't have a definite answers.

Here is what I got so far:

   - Although I couldn't find any official info on MSDN about this, there a
   Scott G post that talks about how ASMX Web Services mitigate against CSRF
   (see
   http://weblogs.asp.net/scottgu/archive/2007/04/04/json-hijacking-and-how-asp-net-ajax-1-0-mitigates-these-attacks.aspx
   )

   - The mitigation seems to be the fact that the .NET ASMX WebService
   engine will check for a particular header to be set (Content-Type:
   application/json)
      - this seems to rely on the fact that although there are a number of
      ways to trigger GET or POST Cross Site Requests via HTML/Javascript, none
      of them will allow the Content-Type to be set to application/json

      - The only variation that I have heard (but not tested yet) is the
   use of Flash to make the request and set the header.
      - But I have not seen this in action (and as a developer I need to
      know if this is a 'real' issue vs a 'potential' issue)
      - Even if that header can be set, will Http-Only cookies be also sent
      with it?

      - In terms of a solution, I also have not found a clear example of
   CSRF defences on a JQuery-driven site that consumes ASMX webservices
      - There are lots of mentions of using nonce / Unique-key to protect
      against CSRF,
         - but how does it work exactly? and what are its threats?
         - more importantly, why didn't Microsoft's .NET team added that
         solution by default to ASMX? (via an HttpModule for example)
      - any good pointers?

Thanks

Dinis Cruz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120209/c3254668/attachment.html>

More information about the OWASP-Leaders mailing list