[Owasp-o2-platform] [Owasp-dotnet] Are .NET WebServices vulnerable to CSRF?

Jaideep Jha jaideepjha at gmail.com
Tue Feb 7 05:19:44 UTC 2012


Why should content-type header be considered good enough CSRF defense ?

Many sites have incorrectly configured crossdomain.xml files
(allow-access-from domain="*") - thus making cross domain requests with
arbitrary header / header values from swf files a trivial attack vector.

Also, even if the cross domain policy files are correctly configured, I
have seen the 307 redirect attack - as explained
here<http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-February/007533.html>-
working well till very recently across browsers.

Regards,
Jaideep

On Mon, Feb 6, 2012 at 5:33 PM, dinis cruz <dinis.cruz at owasp.org> wrote:

> I Robert, thanks for your comments (bellow).
>
> You can actually see the app running and get its source code :)
>
> The whole thing is at GitHub <http://teammentor.github.com/>, and here is
> the source code of the version with a test Library (OWASP Top 10):
> https://github.com/TeamMentor-OWASP/Master  (just download the zip file
> and click on the 'Start webserver.bat' to have a locally running copy)
>
> If you just want to take a look at it, check out this test server:
>
>    - http://50.18.82.146:8081 for the main GUI and
>    - http://50.18.82.146:8081/aspx_pages/tm_webservices.asmx for the
>    webservices
>
> In terms of CSRF for ASMX, my current understanding comes mainly from this
> Scott Guthrie article
> http://weblogs.asp.net/scottgu/archive/2007/04/04/json-hijacking-and-how-asp-net-ajax-1-0-mitigates-these-attacks.aspx (also
> referenced here AJAX Hacker Attacks - Cross Site Request Forgery<http://weblogs.asp.net/dwahlin/archive/2007/04/04/ajax-hacker-attacks-cross-site-request-forgery.aspx>
>  )
>
> Those articles imply that asmx webservices are not vulnerable to CSRF due
> to the extra *application/json ContentType* header.
>
> Dinis Cruz
>
> Blog: http://diniscruz.blogspot.com
> Twitter: http://twitter.com/DinisCruz
> Web: http://www.owasp.org/index.php/O2
>
>
> On 3 February 2012 18:38, Róbert Tézli <tezli.robert at live.de> wrote:
>
>> I think without seeing the application nobody can help you finding out
>> if your application is vulnerable to attacks like CSRF.
>> A good point to start is checking XSS first since an attacker have to
>> perform the request against your web service as
>> trusted user. In ASP.Net Mvc 3 unique CSRF tokens are used to make sure
>> the request was made is unique. Since you want use JavaScript with Asp.Net
>>  Web Services you won't have this advantage but you could generate and
>> deliver CSRF token challenges with the JavaScript the user loads with
>> the page
>> assuming that you are not caching anything.
>>
>> I doubt that web services are not vulnerable to CSRF since the request
>> that is performed against it comes from within the users browser which
>> has the session cookie,
>> the same ip and the referrer can be spoofed easily. How should the web
>> service know that this specific request did not came from the user but
>> from an other script
>> within the page?
>>
>> Like i said, without seeing the source code (at least from the website
>> where the JavaScript is embedded) nobody(at least not me) could give you
>> an answer on that.
>>
>> Regards,
>>
>> Robert
>>
>> > While developing TeamMentor <http://teammentor.github.com> I
>> implemented a
>>
>> > number of WebServices (consumed via jQuery) and now on its final push
>> for
>> > release I want to double check that they are not vulnerable to CSRF.
>> >
>> > There isn't a lot of good information out there and it seems that in
>> .NET,
>> > *.asmx are protected by default to CSRF, with a possible exception of an
>> > exploit scenario using Flash (to set the cookies)
>> >
>> > Anybody has more info?
>> >
>> > Dinis Cruz
>> >
>> > Blog: http://diniscruz.blogspot.com
>> > Twitter: http://twitter.com/DinisCruz
>> > Web: http://www.owasp.org/index.php/O2
>> >
>> >
>> >
>> > _______________________________________________
>> > Owasp-dotnet mailing list
>> > Owasp-dotnet at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-dotnet
>>
>> --
>> Robert Tezli
>> Voigstraße 39
>> 10247 Berlin
>> Germany
>>
>> Mail : tezli.robert at live.de
>> Phone: +4916094989708
>> Web  : pixills.com
>>
>>
>
> _______________________________________________
> Owasp-o2-platform mailing list
> Owasp-o2-platform at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20120207/ceb537cc/attachment.html>


More information about the Owasp-o2-platform mailing list