[Owasp-leaders] Security101 - Are .NET ASMX WebServices vulnerable to CSRF
Michael Hidalgo Fallas
michael.hidalgo at owasp.org
Thu Feb 9 16:24:08 UTC 2012
Had I been paying attention, I would have noticed that Troy Hunt did write
a very interesting article about Cross-Site Request Forgery. I believe
this article describes an scenario about executing Web Services via MS Ajax
engine. I know your question if focused on JQuery, but the mechanism should
be the same. When using SOAP over HTTP you limit your self to use POST as
the default method. So the approach in MS Ajax mechanisms or JQuery calls
should be similar.
The article is very complete. Maybe this does not answer your question, but
I may be helpful.
On Thu, Feb 9, 2012 at 8:12 AM, Michael Hidalgo Fallas <
michael.hidalgo at owasp.org> wrote:
> Hi Dinis,
> This is a good question.
> It would be great to extend your question not only to .NET ASMX
> WebServices but WCF programming model. WCF provides support to WS-*
> binding. I will investigate if there is any feature builded on top of WCF
> programming model.
> Thank you.
> On Thu, Feb 9, 2012 at 7:17 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
>> Meanwhile... lets also have a nice technical thread :)
>> Ok, so here is a question from a developer (me) who is working on a
>> product and has a security question that it needs help, which I believe is
>> scenario we want to cover with our security101 list (still being set-up).
>> *Question: "Are .NET ASMX WebServices vulnerable to CSRF by default?"*
>> There is very few 'specific' information out there about this, which is
>> surprising because if they are, then there would be a LOT of webservices
>> out there who would be vulnerable to it
>> I've asked this question on the OWASP-DotNet list (see
>> and on the Security StackExchange (see
>> but so far I don't have a definite answers.
>> Here is what I got so far:
>> - Although I couldn't find any official info on MSDN about this,
>> there a Scott G post that talks about how ASMX Web Services mitigate
>> against CSRF (see
>> - The mitigation seems to be the fact that the .NET ASMX WebService
>> engine will check for a particular header to be set (Content-Type:
>> - this seems to rely on the fact that although there are a number
>> none of them will allow the Content-Type to be set to application/json
>> - The only variation that I have heard (but not tested yet) is the
>> use of Flash to make the request and set the header.
>> - But I have not seen this in action (and as a developer I need to
>> know if this is a 'real' issue vs a 'potential' issue)
>> - Even if that header can be set, will Http-Only cookies be also
>> sent with it?
>> - In terms of a solution, I also have not found a clear example of
>> CSRF defences on a JQuery-driven site that consumes ASMX webservices
>> - There are lots of mentions of using nonce / Unique-key to
>> protect against CSRF,
>> - but how does it work exactly? and what are its threats?
>> - more importantly, why didn't Microsoft's .NET team added that
>> solution by default to ASMX? (via an HttpModule for example)
>> - any good pointers?
>> Dinis Cruz
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
> *Michael Hidalgo F.
> OWASP Chapter Leader,Costa Rica.*
> “*If you believe in yourself and have dedication and pride - and never
> quit, you'll be a winner. The price of victory is high but so are the
> rewards.” Paul Bryant*
*Michael Hidalgo F.
OWASP Chapter Leader,Costa Rica.*
“*If you believe in yourself and have dedication and pride - and never
quit, you'll be a winner. The price of victory is high but so are the
rewards.” Paul Bryant*
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders