[Owasp-leaders] Security101 - Are .NET ASMX WebServices vulnerable to CSRF
Michael Hidalgo Fallas
michael.hidalgo at owasp.org
Thu Feb 9 16:12:09 UTC 2012
This is a good question.
It would be great to extend your question not only to .NET ASMX WebServices
but WCF programming model. WCF provides support to WS-* binding. I will
investigate if there is any feature builded on top of WCF programming model.
On Thu, Feb 9, 2012 at 7:17 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
> Meanwhile... lets also have a nice technical thread :)
> Ok, so here is a question from a developer (me) who is working on a
> product and has a security question that it needs help, which I believe is
> scenario we want to cover with our security101 list (still being set-up).
> *Question: "Are .NET ASMX WebServices vulnerable to CSRF by default?"*
> There is very few 'specific' information out there about this, which is
> surprising because if they are, then there would be a LOT of webservices
> out there who would be vulnerable to it
> I've asked this question on the OWASP-DotNet list (see
> and on the Security StackExchange (see
> but so far I don't have a definite answers.
> Here is what I got so far:
> - Although I couldn't find any official info on MSDN about this, there
> a Scott G post that talks about how ASMX Web Services mitigate against CSRF
> - The mitigation seems to be the fact that the .NET ASMX WebService
> engine will check for a particular header to be set (Content-Type:
> - this seems to rely on the fact that although there are a number
> none of them will allow the Content-Type to be set to application/json
> - The only variation that I have heard (but not tested yet) is the
> use of Flash to make the request and set the header.
> - But I have not seen this in action (and as a developer I need to
> know if this is a 'real' issue vs a 'potential' issue)
> - Even if that header can be set, will Http-Only cookies be also
> sent with it?
> - In terms of a solution, I also have not found a clear example of
> CSRF defences on a JQuery-driven site that consumes ASMX webservices
> - There are lots of mentions of using nonce / Unique-key to protect
> against CSRF,
> - but how does it work exactly? and what are its threats?
> - more importantly, why didn't Microsoft's .NET team added that
> solution by default to ASMX? (via an HttpModule for example)
> - any good pointers?
> Dinis Cruz
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
*Michael Hidalgo F.
OWASP Chapter Leader,Costa Rica.*
“*If you believe in yourself and have dedication and pride - and never
quit, you'll be a winner. The price of victory is high but so are the
rewards.” Paul Bryant*
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders