[Owasp-o2-platform] [Owasp-dotnet] Are .NET WebServices vulnerable to CSRF?
dinis.cruz at owasp.org
Tue Feb 7 11:56:06 UTC 2012
I agree that the content-type header defence makes me nervous, and btw that
307 attack looks pretty interesting :) (does it work in .NET asmx?)
But my key question remains, are .NET ASMX WebServices vulnerable to CSRF?
There are two things that must happen for this to be a problem (in
TeamMentor or other ASPX webservices)
1. It is possible to invoke those WebServices from another domain (note
that this is actually a current business/user-requirement)
2. Will the browser send the user's cookies via the CSRF (these cookies
are used by the WebService to authenticate the user)
If this is possible then we have a problem (and I need to make the required
But is it a problem?
And if so, wouldn't this be a big issue with tons of vulnerable websites
Finally, are there any recommended solutions?
On 7 February 2012 05:19, Jaideep Jha <jaideepjha at gmail.com> wrote:
> Why should content-type header be considered good enough CSRF defense ?
> Many sites have incorrectly configured crossdomain.xml files
> (allow-access-from domain="*") - thus making cross domain requests with
> arbitrary header / header values from swf files a trivial attack vector.
> Also, even if the cross domain policy files are correctly configured, I
> have seen the 307 redirect attack - as explained here<http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-February/007533.html>- working well till very recently across browsers.
> On Mon, Feb 6, 2012 at 5:33 PM, dinis cruz <dinis.cruz at owasp.org> wrote:
>> I Robert, thanks for your comments (bellow).
>> You can actually see the app running and get its source code :)
>> The whole thing is at GitHub <http://teammentor.github.com/>, and here
>> is the source code of the version with a test Library (OWASP Top 10):
>> https://github.com/TeamMentor-OWASP/Master (just download the zip file
>> and click on the 'Start webserver.bat' to have a locally running copy)
>> If you just want to take a look at it, check out this test server:
>> - http://188.8.131.52:8081 for the main GUI and
>> - http://184.108.40.206:8081/aspx_pages/tm_webservices.asmx for the
>> In terms of CSRF for ASMX, my current understanding comes mainly from
>> this Scott Guthrie article
>> http://weblogs.asp.net/scottgu/archive/2007/04/04/json-hijacking-and-how-asp-net-ajax-1-0-mitigates-these-attacks.aspx (also
>> referenced here AJAX Hacker Attacks - Cross Site Request Forgery<http://weblogs.asp.net/dwahlin/archive/2007/04/04/ajax-hacker-attacks-cross-site-request-forgery.aspx>
>> Those articles imply that asmx webservices are not vulnerable to CSRF due
>> to the extra *application/json ContentType* header.
>> Dinis Cruz
>> Blog: http://diniscruz.blogspot.com
>> Twitter: http://twitter.com/DinisCruz
>> Web: http://www.owasp.org/index.php/O2
>> On 3 February 2012 18:38, Róbert Tézli <tezli.robert at live.de> wrote:
>>> I think without seeing the application nobody can help you finding out
>>> if your application is vulnerable to attacks like CSRF.
>>> A good point to start is checking XSS first since an attacker have to
>>> perform the request against your web service as
>>> trusted user. In ASP.Net Mvc 3 unique CSRF tokens are used to make sure
>>> Web Services you won't have this advantage but you could generate and
>>> the page
>>> assuming that you are not caching anything.
>>> I doubt that web services are not vulnerable to CSRF since the request
>>> that is performed against it comes from within the users browser which
>>> has the session cookie,
>>> the same ip and the referrer can be spoofed easily. How should the web
>>> service know that this specific request did not came from the user but
>>> from an other script
>>> within the page?
>>> Like i said, without seeing the source code (at least from the website
>>> an answer on that.
>>> > While developing TeamMentor <http://teammentor.github.com> I
>>> implemented a
>>> > number of WebServices (consumed via jQuery) and now on its final push
>>> > release I want to double check that they are not vulnerable to CSRF.
>>> > There isn't a lot of good information out there and it seems that in
>>> > *.asmx are protected by default to CSRF, with a possible exception of
>>> > exploit scenario using Flash (to set the cookies)
>>> > Anybody has more info?
>>> > Dinis Cruz
>>> > Blog: http://diniscruz.blogspot.com
>>> > Twitter: http://twitter.com/DinisCruz
>>> > Web: http://www.owasp.org/index.php/O2
>>> > _______________________________________________
>>> > Owasp-dotnet mailing list
>>> > Owasp-dotnet at lists.owasp.org
>>> > https://lists.owasp.org/mailman/listinfo/owasp-dotnet
>>> Robert Tezli
>>> Voigstraße 39
>>> 10247 Berlin
>>> Mail : tezli.robert at live.de
>>> Phone: +4916094989708
>>> Web : pixills.com
>> Owasp-o2-platform mailing list
>> Owasp-o2-platform at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-o2-platform