[Owasp-o2-platform] [Owasp-dotnet] Are .NET WebServices vulnerable to CSRF?

dinis cruz dinis.cruz at owasp.org
Mon Feb 6 11:19:24 UTC 2012


I choose asmx because:

   - They where simpler to setup
   - TeamMentor already had a couple *.asmx based webservices which where
   easier to extend (which I didn't want to re-write)
   - I wanted to have a dynamic compilation environment (created around
   App_Code folder), which seemed easier to set-up via *.asmx
   - I wanted to have as little dependencies on web.config fire, again
   something that *.asmx seemed easier to do via WCF
   - I also wanted to implement a CAS based Security Demand solution, which
   again seemed simpler to created in *.asmx

Note that I have used WCF in the past, and I really like its flexibly, but
it did felt overkill for this project

Dinis Cruz


On 3 February 2012 16:45, Barry Dorrans <barryd at idunno.org> wrote:

>  Is there a reason you went the asmx route and not with WCF?****
>
> ** **
>
> *From:* owasp-dotnet-bounces at lists.owasp.org [mailto:
> owasp-dotnet-bounces at lists.owasp.org] *On Behalf Of *dinis cruz
> *Sent:* Friday, February 03, 2012 08:43
> *To:* OWASP .NET; owasp-o2-platform at lists.owasp.org
> *Subject:* [Owasp-dotnet] Are .NET WebServices vulnerable to CSRF?****
>
> ** **
>
> While developing TeamMentor <http://teammentor.github.com> I implemented
> a number of WebServices (consumed via jQuery) and now on its final push for
> release I want to double check that they are not vulnerable to CSRF.****
>
> ** **
>
> There isn't a lot of good information out there and it seems that in .NET,
> *.asmx are protected by default to CSRF, with a possible exception of an
> exploit scenario using Flash (to set the cookies)****
>
> ** **
>
> Anybody has more info?
>
> Dinis Cruz
>
> Blog: http://diniscruz.blogspot.com
> Twitter: http://twitter.com/DinisCruz
> Web: http://www.owasp.org/index.php/O2****
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20120206/09c076dd/attachment.html>


More information about the Owasp-o2-platform mailing list