CSRF check for jabsorb JSON-RPC requests
Olivier Jaquemet
Disclaimer : jabsorb.org site being down, I could not check any
documentation, so this question might have already been answered
properly, my apologies in such case.
We probably agree that performing CSRF attack on a JSON-RPC service is
very challenging : Indeed one cannot use simple GET or POST as JSON
data must be sent in the request. Thus a CSRF attack would require use
of XmlHttpRequest or Flash, meaning there is probably an XSS
vulnerability elsewhere on the site to inject such javascript code.
And any XSS vulnerability would prevent any CSRF check to be performed
efficiently.
Therefore CSRF vulnerability with JSON-RPC service it is not of too
much concern....
Though... it could happen ! And having a security countermeasure
would be nice. Security is all about pushing the limit further to
complicate the actions required by the attacker to get to his goal.
So my question is :
Is there any way to setup and configure jabsorb to apply the
"Synchronizer Token Pattern" [1]. That is, sending a CSRF token
unknown to the attacker (eg: as an HTTP Header) during JSON-RPC
request, and having the servlet to check for this token ?
(Other than implementing this with a custom servlet filter)
Thanks for your answer,
Olivier