[Owasp-o2-platform] [Owasp-dotnet] Are .NET WebServices vulnerable to CSRF?

dinis cruz dinis.cruz at owasp.org
Tue Feb 7 11:56:06 UTC 2012


Hi Jaideep

I agree that the content-type header defence makes me nervous, and btw that
307 attack looks pretty interesting :)  (does it work in .NET asmx?)

But my key question remains, are .NET ASMX WebServices vulnerable to CSRF?

There are two things that must happen for this to be a problem (in
TeamMentor or other ASPX webservices)

   1. It is possible to invoke those WebServices from another domain (note
   that this is actually a current business/user-requirement)
   2. Will the browser send the user's cookies via the CSRF (these cookies
   are used by the WebService to authenticate the user)

If this is possible then we have a problem (and I need to make the required
code changes)

But is it a problem?

And if so, wouldn't this be a big issue with tons of vulnerable websites
out there?

Finally, are there any recommended solutions?

Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2


On 7 February 2012 05:19, Jaideep Jha <jaideepjha at gmail.com> wrote:

> Why should content-type header be considered good enough CSRF defense ?
>
> Many sites have incorrectly configured crossdomain.xml files
> (allow-access-from domain="*") - thus making cross domain requests with
> arbitrary header / header values from swf files a trivial attack vector.
>
> Also, even if the cross domain policy files are correctly configured, I
> have seen the 307 redirect attack - as explained here<http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-February/007533.html>- working well till very recently across browsers.
>
> Regards,
> Jaideep
>
> On Mon, Feb 6, 2012 at 5:33 PM, dinis cruz <dinis.cruz at owasp.org> wrote:
>
>> I Robert, thanks for your comments (bellow).
>>
>> You can actually see the app running and get its source code :)
>>
>> The whole thing is at GitHub <http://teammentor.github.com/>, and here
>> is the source code of the version with a test Library (OWASP Top 10):
>> https://github.com/TeamMentor-OWASP/Master  (just download the zip file
>> and click on the 'Start webserver.bat' to have a locally running copy)
>>
>> If you just want to take a look at it, check out this test server:
>>
>>    - http://50.18.82.146:8081 for the main GUI and
>>    - http://50.18.82.146:8081/aspx_pages/tm_webservices.asmx for the
>>    webservices
>>
>> In terms of CSRF for ASMX, my current understanding comes mainly from
>> this Scott Guthrie article
>> http://weblogs.asp.net/scottgu/archive/2007/04/04/json-hijacking-and-how-asp-net-ajax-1-0-mitigates-these-attacks.aspx (also
>> referenced here AJAX Hacker Attacks - Cross Site Request Forgery<http://weblogs.asp.net/dwahlin/archive/2007/04/04/ajax-hacker-attacks-cross-site-request-forgery.aspx>
>>  )
>>
>> Those articles imply that asmx webservices are not vulnerable to CSRF due
>> to the extra *application/json ContentType* header.
>>
>> Dinis Cruz
>>
>> Blog: http://diniscruz.blogspot.com
>> Twitter: http://twitter.com/DinisCruz
>> Web: http://www.owasp.org/index.php/O2
>>
>>
>> On 3 February 2012 18:38, Róbert Tézli <tezli.robert at live.de> wrote:
>>
>>> I think without seeing the application nobody can help you finding out
>>> if your application is vulnerable to attacks like CSRF.
>>> A good point to start is checking XSS first since an attacker have to
>>> perform the request against your web service as
>>> trusted user. In ASP.Net Mvc 3 unique CSRF tokens are used to make sure
>>> the request was made is unique. Since you want use JavaScript with
>>> Asp.Net
>>>  Web Services you won't have this advantage but you could generate and
>>> deliver CSRF token challenges with the JavaScript the user loads with
>>> the page
>>> assuming that you are not caching anything.
>>>
>>> I doubt that web services are not vulnerable to CSRF since the request
>>> that is performed against it comes from within the users browser which
>>> has the session cookie,
>>> the same ip and the referrer can be spoofed easily. How should the web
>>> service know that this specific request did not came from the user but
>>> from an other script
>>> within the page?
>>>
>>> Like i said, without seeing the source code (at least from the website
>>> where the JavaScript is embedded) nobody(at least not me) could give you
>>> an answer on that.
>>>
>>> Regards,
>>>
>>> Robert
>>>
>>> > While developing TeamMentor <http://teammentor.github.com> I
>>> implemented a
>>>
>>> > number of WebServices (consumed via jQuery) and now on its final push
>>> for
>>> > release I want to double check that they are not vulnerable to CSRF.
>>> >
>>> > There isn't a lot of good information out there and it seems that in
>>> .NET,
>>> > *.asmx are protected by default to CSRF, with a possible exception of
>>> an
>>> > exploit scenario using Flash (to set the cookies)
>>> >
>>> > Anybody has more info?
>>> >
>>> > Dinis Cruz
>>> >
>>> > Blog: http://diniscruz.blogspot.com
>>> > Twitter: http://twitter.com/DinisCruz
>>> > Web: http://www.owasp.org/index.php/O2
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > Owasp-dotnet mailing list
>>> > Owasp-dotnet at lists.owasp.org
>>> > https://lists.owasp.org/mailman/listinfo/owasp-dotnet
>>>
>>> --
>>> Robert Tezli
>>> Voigstraße 39
>>> 10247 Berlin
>>> Germany
>>>
>>> Mail : tezli.robert at live.de
>>> Phone: +4916094989708
>>> Web  : pixills.com
>>>
>>>
>>
>> _______________________________________________
>> Owasp-o2-platform mailing list
>> Owasp-o2-platform at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20120207/bce0645a/attachment-0001.html>


More information about the Owasp-o2-platform mailing list