[Owasp-leaders] Security101 - Are .NET ASMX WebServices vulnerable to CSRF
Michael Hidalgo Fallas
michael.hidalgo at owasp.org
Thu Feb 9 16:12:09 UTC 2012
Hi Dinis,
This is a good question.
It would be great to extend your question not only to .NET ASMX WebServices
but WCF programming model. WCF provides support to WS-* binding. I will
investigate if there is any feature builded on top of WCF programming model.
Thank you.
On Thu, Feb 9, 2012 at 7:17 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
> Meanwhile... lets also have a nice technical thread :)
>
> Ok, so here is a question from a developer (me) who is working on a
> product and has a security question that it needs help, which I believe is
> scenario we want to cover with our security101 list (still being set-up).
>
> *Question: "Are .NET ASMX WebServices vulnerable to CSRF by default?"*
> *
> *
> There is very few 'specific' information out there about this, which is
> surprising because if they are, then there would be a LOT of webservices
> out there who would be vulnerable to it
>
> I've asked this question on the OWASP-DotNet list (see
> http://lists.owasp.org/pipermail/owasp-dotnet/2012-February/thread.html)
> and on the Security StackExchange (see
> http://security.stackexchange.com/questions/11355/are-net-webservices-vulnerable-to-csrf),
> but so far I don't have a definite answers.
>
> Here is what I got so far:
>
> - Although I couldn't find any official info on MSDN about this, there
> a Scott G post that talks about how ASMX Web Services mitigate against CSRF
> (see
> http://weblogs.asp.net/scottgu/archive/2007/04/04/json-hijacking-and-how-asp-net-ajax-1-0-mitigates-these-attacks.aspx
> )
>
> - The mitigation seems to be the fact that the .NET ASMX WebService
> engine will check for a particular header to be set (Content-Type:
> application/json)
> - this seems to rely on the fact that although there are a number
> of ways to trigger GET or POST Cross Site Requests via HTML/Javascript,
> none of them will allow the Content-Type to be set to application/json
>
> - The only variation that I have heard (but not tested yet) is the
> use of Flash to make the request and set the header.
> - But I have not seen this in action (and as a developer I need to
> know if this is a 'real' issue vs a 'potential' issue)
> - Even if that header can be set, will Http-Only cookies be also
> sent with it?
>
> - In terms of a solution, I also have not found a clear example of
> CSRF defences on a JQuery-driven site that consumes ASMX webservices
> - There are lots of mentions of using nonce / Unique-key to protect
> against CSRF,
> - but how does it work exactly? and what are its threats?
> - more importantly, why didn't Microsoft's .NET team added that
> solution by default to ASMX? (via an HttpModule for example)
> - any good pointers?
>
> Thanks
>
> Dinis Cruz
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
--
*Michael Hidalgo F.
OWASP Chapter Leader,Costa Rica.*
“*If you believe in yourself and have dedication and pride - and never
quit, you'll be a winner. The price of victory is high but so are the
rewards.” Paul Bryant*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120209/3d045c55/attachment-0001.html>
More information about the OWASP-Leaders
mailing list