[Owasp-o2-platform] [Owasp-dotnet] Are .NET WebServices vulnerable to CSRF?
dinis.cruz at owasp.org
Mon Feb 6 12:03:37 UTC 2012
I Robert, thanks for your comments (bellow).
You can actually see the app running and get its source code :)
The whole thing is at GitHub <http://teammentor.github.com/>, and here is
the source code of the version with a test Library (OWASP Top 10):
https://github.com/TeamMentor-OWASP/Master (just download the zip file and
click on the 'Start webserver.bat' to have a locally running copy)
If you just want to take a look at it, check out this test server:
- http://188.8.131.52:8081 for the main GUI and
- http://184.108.40.206:8081/aspx_pages/tm_webservices.asmx for the
In terms of CSRF for ASMX, my current understanding comes mainly from this
Scott Guthrie article
referenced here AJAX Hacker Attacks - Cross Site Request
Those articles imply that asmx webservices are not vulnerable to CSRF due
to the extra *application/json ContentType* header.
On 3 February 2012 18:38, Róbert Tézli <tezli.robert at live.de> wrote:
> I think without seeing the application nobody can help you finding out
> if your application is vulnerable to attacks like CSRF.
> A good point to start is checking XSS first since an attacker have to
> perform the request against your web service as
> trusted user. In ASP.Net Mvc 3 unique CSRF tokens are used to make sure
> Web Services you won't have this advantage but you could generate and
> the page
> assuming that you are not caching anything.
> I doubt that web services are not vulnerable to CSRF since the request
> that is performed against it comes from within the users browser which
> has the session cookie,
> the same ip and the referrer can be spoofed easily. How should the web
> service know that this specific request did not came from the user but
> from an other script
> within the page?
> Like i said, without seeing the source code (at least from the website
> an answer on that.
> > While developing TeamMentor <http://teammentor.github.com> I
> implemented a
> > number of WebServices (consumed via jQuery) and now on its final push for
> > release I want to double check that they are not vulnerable to CSRF.
> > There isn't a lot of good information out there and it seems that in
> > *.asmx are protected by default to CSRF, with a possible exception of an
> > exploit scenario using Flash (to set the cookies)
> > Anybody has more info?
> > Dinis Cruz
> > Blog: http://diniscruz.blogspot.com
> > Twitter: http://twitter.com/DinisCruz
> > Web: http://www.owasp.org/index.php/O2
> > _______________________________________________
> > Owasp-dotnet mailing list
> > Owasp-dotnet at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-dotnet
> Robert Tezli
> Voigstraße 39
> 10247 Berlin
> Mail : tezli.robert at live.de
> Phone: +4916094989708
> Web : pixills.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-o2-platform