[Owasp-leaders] Security101 - Are .NET ASMX WebServices vulnerable to CSRF

dinis cruz dinis.cruz at owasp.org
Thu Feb 9 17:17:34 UTC 2012 

Michael, good catch, I forgot about that article.

Troy, can you provide more details on what browsers and domains you tried
that?

I was under the impression that the Browser's Same Origin
Policy<http://en.wikipedia.org/wiki/Same_origin_policy>was designed to
prevent exactly that (sending cookies from Domain A into
Domain B)

Dinis Cruz

On 9 February 2012 16:24, Michael Hidalgo Fallas
<michael.hidalgo at owasp.org>wrote:

> Dinnis,
> Had I been paying attention, I would have noticed that Troy Hunt did write
> a very interesting article about  Cross-Site Request Forgery. I believe
> this article describes an scenario about executing Web Services via MS Ajax
> engine. I know your question if focused on JQuery, but the mechanism should
> be the same.  When using SOAP over HTTP you limit your self to use POST as
> the default method. So the approach in  MS Ajax mechanisms or JQuery calls
> should be similar.
>
> http://www.troyhunt.com/2010/11/owasp-top-10-for-net-developers-part-5.html
>
> The article is very complete. Maybe this does not answer your question,
> but I may be helpful.
>
> Thank you.
>
>
> On Thu, Feb 9, 2012 at 8:12 AM, Michael Hidalgo Fallas <
> michael.hidalgo at owasp.org> wrote:
>
>> Hi Dinis,
>>
>> This is a good question.
>> It would be great to extend your question not only to .NET ASMX
>> WebServices but WCF programming model. WCF provides support to WS-*
>> binding. I will investigate if there is any feature builded on top of WCF
>> programming model.
>>
>> Thank you.
>>
>>
>>  On Thu, Feb 9, 2012 at 7:17 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
>>
>>>  Meanwhile... lets also have a nice technical thread :)
>>>
>>> Ok, so here is a question from a developer (me) who is working on a
>>> product and has a security question that it needs help, which I believe is
>>> scenario we want to cover with our security101 list (still being set-up).
>>>
>>> *Question: "Are .NET ASMX WebServices vulnerable to CSRF by default?"*
>>> *
>>> *
>>> There is very few 'specific' information out there about this, which is
>>> surprising because if they are, then there would be a LOT of webservices
>>> out there who would be vulnerable to it
>>>
>>> I've asked this question on the OWASP-DotNet list (see
>>> http://lists.owasp.org/pipermail/owasp-dotnet/2012-February/thread.html)
>>> and on the Security StackExchange (see
>>> http://security.stackexchange.com/questions/11355/are-net-webservices-vulnerable-to-csrf),
>>> but so far I don't have a definite answers.
>>>
>>> Here is what I got so far:
>>>
>>>    - Although I couldn't find any official info on MSDN about this,
>>>    there a Scott G post that talks about how ASMX Web Services mitigate
>>>    against CSRF (see
>>>    http://weblogs.asp.net/scottgu/archive/2007/04/04/json-hijacking-and-how-asp-net-ajax-1-0-mitigates-these-attacks.aspx
>>>    )
>>>
>>>    - The mitigation seems to be the fact that the .NET ASMX WebService
>>>    engine will check for a particular header to be set (Content-Type:
>>>    application/json)
>>>       - this seems to rely on the fact that although there are a number
>>>       of ways to trigger GET or POST Cross Site Requests via HTML/Javascript,
>>>       none of them will allow the Content-Type to be set to application/json
>>>
>>>        - The only variation that I have heard (but not tested yet) is
>>>    the use of Flash to make the request and set the header.
>>>       - But I have not seen this in action (and as a developer I need
>>>       to know if this is a 'real' issue vs a 'potential' issue)
>>>       - Even if that header can be set, will Http-Only cookies be also
>>>       sent with it?
>>>
>>>       - In terms of a solution, I also have not found a clear example
>>>    of CSRF defences on a JQuery-driven site that consumes ASMX webservices
>>>       - There are lots of mentions of using nonce / Unique-key to
>>>       protect against CSRF,
>>>          - but how does it work exactly? and what are its threats?
>>>          - more importantly, why didn't Microsoft's .NET team added
>>>          that solution by default to ASMX? (via an HttpModule for example)
>>>       - any good pointers?
>>>
>>> Thanks
>>>
>>> Dinis Cruz
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>>
>> --
>>
>> *Michael Hidalgo F.
>> OWASP Chapter Leader,Costa Rica.*
>>
>> “*If you believe in yourself and have dedication and pride - and never
>> quit, you'll be a winner. The price of victory is high but so are the
>> rewards.” Paul Bryant*
>>
>>
>>
>
>
> --
>
> *Michael Hidalgo F.
> OWASP Chapter Leader,Costa Rica.*
>
> “*If you believe in yourself and have dedication and pride - and never
> quit, you'll be a winner. The price of victory is high but so are the
> rewards.” Paul Bryant*
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120209/6aea6b2a/attachment.html>

More information about the OWASP-Leaders mailing list