[Owasp-o2-platform] [Owasp-dotnet] Are .NET WebServices vulnerable to CSRF?

dinis cruz dinis.cruz at owasp.org
Mon Feb 6 12:03:37 UTC 2012


I Robert, thanks for your comments (bellow).

You can actually see the app running and get its source code :)

The whole thing is at GitHub <http://teammentor.github.com/>, and here is
the source code of the version with a test Library (OWASP Top 10):
https://github.com/TeamMentor-OWASP/Master  (just download the zip file and
click on the 'Start webserver.bat' to have a locally running copy)

If you just want to take a look at it, check out this test server:

   - http://50.18.82.146:8081 for the main GUI and
   - http://50.18.82.146:8081/aspx_pages/tm_webservices.asmx for the
   webservices

In terms of CSRF for ASMX, my current understanding comes mainly from this
Scott Guthrie article
http://weblogs.asp.net/scottgu/archive/2007/04/04/json-hijacking-and-how-asp-net-ajax-1-0-mitigates-these-attacks.aspx
(also
referenced here AJAX Hacker Attacks - Cross Site Request
Forgery<http://weblogs.asp.net/dwahlin/archive/2007/04/04/ajax-hacker-attacks-cross-site-request-forgery.aspx>
 )

Those articles imply that asmx webservices are not vulnerable to CSRF due
to the extra *application/json ContentType* header.

Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2


On 3 February 2012 18:38, Róbert Tézli <tezli.robert at live.de> wrote:

> I think without seeing the application nobody can help you finding out
> if your application is vulnerable to attacks like CSRF.
> A good point to start is checking XSS first since an attacker have to
> perform the request against your web service as
> trusted user. In ASP.Net Mvc 3 unique CSRF tokens are used to make sure
> the request was made is unique. Since you want use JavaScript with Asp.Net
>  Web Services you won't have this advantage but you could generate and
> deliver CSRF token challenges with the JavaScript the user loads with
> the page
> assuming that you are not caching anything.
>
> I doubt that web services are not vulnerable to CSRF since the request
> that is performed against it comes from within the users browser which
> has the session cookie,
> the same ip and the referrer can be spoofed easily. How should the web
> service know that this specific request did not came from the user but
> from an other script
> within the page?
>
> Like i said, without seeing the source code (at least from the website
> where the JavaScript is embedded) nobody(at least not me) could give you
> an answer on that.
>
> Regards,
>
> Robert
>
> > While developing TeamMentor <http://teammentor.github.com> I
> implemented a
> > number of WebServices (consumed via jQuery) and now on its final push for
> > release I want to double check that they are not vulnerable to CSRF.
> >
> > There isn't a lot of good information out there and it seems that in
> .NET,
> > *.asmx are protected by default to CSRF, with a possible exception of an
> > exploit scenario using Flash (to set the cookies)
> >
> > Anybody has more info?
> >
> > Dinis Cruz
> >
> > Blog: http://diniscruz.blogspot.com
> > Twitter: http://twitter.com/DinisCruz
> > Web: http://www.owasp.org/index.php/O2
> >
> >
> >
> > _______________________________________________
> > Owasp-dotnet mailing list
> > Owasp-dotnet at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-dotnet
>
> --
> Robert Tezli
> Voigstraße 39
> 10247 Berlin
> Germany
>
> Mail : tezli.robert at live.de
> Phone: +4916094989708
> Web  : pixills.com
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20120206/79aa21ac/attachment.html>


More information about the Owasp-o2-platform mailing list