[Owasp-dotnet] Are .NET WebServices vulnerable to CSRF?

[dinis cruz]

While developing TeamMentor I implemented a number of WebServices (consumed via jQuery) and now on its final push for release I want to double check that they are not vulnerable to CSRF.

There isn't a lot of good information out there and it seems that in .NET, *.asmx are protected by default to CSRF, with a possible exception of an exploit scenario using Flash (to set the cookies)

Anybody has more info?

Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2

[Barry Dorrans]

Is there a reason you went the asmx route and not with WCF?

[dinis cruz]

I choose asmx because:

• They where simpler to setup
• TeamMentor already had a couple *.asmx based webservices which where easier to extend (which I didn't want to re-write)
• I wanted to have a dynamic compilation environment (created around App_Code folder), which seemed easier to set-up via *.asmx
• I wanted to have as little dependencies on web.config fire, again something that *.asmx seemed easier to do via WCF
• I also wanted to implement a CAS based Security Demand solution, which again seemed simpler to created in *.asmx

Note that I have used WCF in the past, and I really like its flexibly, but it did felt overkill for this project

Dinis Cruz

[dinis cruz]

I Robert, thanks for your comments (bellow).

You can actually see the app running and get its source code :) 

The whole thing is at GitHub, and here is the source code of the version with a test Library (OWASP Top 10):  https://github.com/TeamMentor-OWASP/Master  (just download the zip file and click on the 'Start webserver.bat' to have a locally running copy)

If you just want to take a look at it, check out this test server: 

• http://50.18.82.146:8081 for the main GUI and 
• http://50.18.82.146:8081/aspx_pages/tm_webservices.asmx for the webservices

In terms of CSRF for ASMX, my current understanding comes mainly from this Scott Guthrie article http://weblogs.asp.net/scottgu/archive/2007/04/04/json-hijacking-and-how-asp-net-ajax-1-0-mitigates-these-attacks.aspx (also referenced here AJAX Hacker Attacks - Cross Site Request Forgery )

Those articles imply that asmx webservices are not vulnerable to CSRF due to the extra application/json ContentType header.

Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2

On 3 February 2012 18:38, Róbert Tézli <tezli....@live.de> wrote:

I think without seeing the application nobody can help you finding out
if your application is vulnerable to attacks like CSRF.
A good point to start is checking XSS first since an attacker have to
perform the request against your web service as
trusted user. In ASP.Net Mvc 3 unique CSRF tokens are used to make sure
the request was made is unique. Since you want use JavaScript with Asp.Net
 Web Services you won't have this advantage but you could generate and
deliver CSRF token challenges with the JavaScript the user loads with
the page
assuming that you are not caching anything.

I doubt that web services are not vulnerable to CSRF since the request
that is performed against it comes from within the users browser which
has the session cookie,
the same ip and the referrer can be spoofed easily. How should the web
service know that this specific request did not came from the user but
from an other script
within the page?

Like i said, without seeing the source code (at least from the website
where the JavaScript is embedded) nobody(at least not me) could give you
an answer on that.

Regards,

Robert

> While developing TeamMentor <http://teammentor.github.com> I implemented a

> _______________________________________________
> Owasp-dotnet mailing list
> Owasp-...@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-dotnet

--
Robert Tezli
Voigstraße 39
10247 Berlin
Germany

Mail : tezli....@live.de
Phone: +4916094989708
Web  : pixills.com

[dinis cruz]

Hi Jaideep

I agree that the content-type header defence makes me nervous, and btw that 307 attack looks pretty interesting :)  (does it work in .NET asmx?)

But my key question remains, are .NET ASMX WebServices vulnerable to CSRF? 

There are two things that must happen for this to be a problem (in TeamMentor or other ASPX webservices)

1. It is possible to invoke those WebServices from another domain (note that this is actually a current business/user-requirement)
2. Will the browser send the user's cookies via the CSRF (these cookies are used by the WebService to authenticate the user)

If this is possible then we have a problem (and I need to make the required code changes)

But is it a problem?

And if so, wouldn't this be a big issue with tons of vulnerable websites out there?

Finally, are there any recommended solutions?

Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2

On 7 February 2012 05:19, Jaideep Jha <jaide...@gmail.com> wrote:

Why should content-type header be considered good enough CSRF defense ?

Many sites have incorrectly configured crossdomain.xml files (allow-access-from domain="*") - thus making cross domain requests with arbitrary header / header values from swf files a trivial attack vector.

Also, even if the cross domain policy files are correctly configured, I have seen the 307 redirect attack - as explained here - working well till very recently across browsers.

Regards,
Jaideep

_______________________________________________
Owasp-o2-platform mailing list
Owasp-o2...@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-o2-platform