After reading the famous (and only) article about trying to explain why asmxs should NOTallow Get requests
so we shouldn't use : [ScriptMethod(UseHttpGet = true)] , I still I have a question :
Why ?
Web service , as its name is a service , he doesn't suppose to care if it's GET or POST :
Even if a person do a CSRF : like embedding in his malicious site :
<script type="text/javascript" src="http://contoso.com/StockService/Stock.asmx/GetQuotes?symbol=msft" />
so what ?
Via asmx POV - it is just a normal request.
Can someone please spot for me the problem with example ?
edit
there are many problems solved with new browsers.
this link shows some other methods which should be tested in new browsers.
JSON hijacking is briefly explained in this article.
Let's suppose that you have a web service that returns a list of credit card numbers to the currently authenticated user:
[{"id":"1001","ccnum":"4111111111111111","balance":"2345.15"},
{"id":"1002","ccnum":"5555555555554444","balance":"10345.00"},
{"id":"1003","ccnum":"5105105105105100","balance":"6250.50"}]
Here's how the attack could be performed:
Get an authenticated user to visit a malicious page.
The malicious page will try and access sensitive data from the application that the user is logged into. This can be done by embedding a script tag in an HTML page since the same-origin policy does not apply to script tags. <script src="http://<json site>/json_server.php"></script>. The browser will make a GET request to json_server.php and any authentication cookies of the user will be sent along with the request.
At this point while the malicious site has executed the script it does not have access to any sensitive data. Getting access to the data can be achieved by using an object prototype setter. In the code below an object prototypes property is being bound to the defined function when an attempt is being made to set the "ccnum" property.
Object.prototype.__defineSetter__('ccnum',function(obj) {
secrets = secrets.concat(" ", obj);
});
At this point the malicious site has successfully hijacked the sensitive financial data (ccnum) returned by json_server.php.
There are also other forms of JSON hijacking techniques which do not rely on the browser support for the __defineSetter__ function. That's just one way to conduct the attack but there are many others as described in this article such as Array constructor clobbering, UTF-7, ES5 functionality.
For this reason, GET requests returning JSON are disabled by default in ASP.NET.
Well if you follow the article that is then linked in the one you provided which can be found here: http://ajax.asp.net/docs/overview/AsynchronousLayerOverview.aspx, you can then read on and the only reason it specifically specifies is this:
GET requests are not recommended for method calls that modify data on
the server or that expose critical information. In GET requests, the
message is encoded by the browser into the URL and is therefore an
easier target for tampering. For both GET and POST requests, you
should follow security guidelines to protect sensitive data.
Related
I was just researching, why using eval() function is bad and I found one reason to be vulnerable for code injection attacks (Post : Why is using the JavaScript eval function a bad idea?).
But my question is, do we necessarily need to be worried about the code injection in javascript? Because, if any user want to run any JS script for a website, he can do it by running in console.
So, I'm just wondering, what extra harm it may do, if anyone is successful to inject his code in my javascript code?
EDIT
Based on Oleander's answer below, I found one way of vulnerability when we have communications between the browser and the server through AJAX calls. That makes perfect sense. But I may have Javascript programs which only run in the browser and do not have any communications to the backend, for example a Calculator or a Simple Game. So my supplementary question here, is there any other reason which can make these programs vulnerable too?
Security problems occur when a hacker injects harmfull code into a JSON request made by a user, which is then evaluated using eval.
Imagine the following code is being ran
$.get("/get.json", function(data){
var obj = eval(data) // String to javascript object
});
The resource looks like this
GET /get.json
{
some: "data"
}
But an attacker replaces the above with using a man in the middle attack
function(){
// send window.cookie to attacker
}();
The attacker now have access to the users session.
Well if your code takes a value from the query string and uses it in an eval, an attacker could entice their victim to visit the URL containing the evil query string.
From OWASP:
<script>
function loadObj(){
var cc=eval('('+aMess+')');
document.getElementById('mess').textContent=cc.message;
}
if(window.location.hash.indexOf('message')==-1)
var aMess="({\"message\":\"Hello User!\"})";
else
var aMess=location.hash.substr(window.location.hash.indexOf('message=')+8);
</script>
The attacker could send an email containing a link or redirect a user visiting their malicious site to the URL
http://example.com/page.html?message=<img onerror="alert(xss)">
Then you have a DOM based XSS attack.
If your game with no backend is on a site with other sensitive information on it, such as user sessions, then it might be possible for the attacker to steal session cookies or grab credentials. It all depends on what the JavaScript has access to. That is, it will have full access to its hosting domain because the Same Origin Policy will restrict it to that. However, if you have other sensitive applications here then they could be compromised. If not, then at worst the attacker could abuse the trust a user has in your site by altering content or monitoring what users do on your site.
I am doing a jquery.ajax() call on one of our pages to fetch a small text file. I see some of the requests (not all) fail with resp.statusText: "No Transport" and resp.status : 0
What does the error mean (No Transport with a resp code of 0). Strangely it works on some browsers, and doesn't work on some. I couldn't find a patter by looking at the user agents of browsers, where it failed.
Any help would be highly appreciated. I am a beginner to javascript and jquery library, let me know if I omitted crucial information.
My use case:
abc.mydomain.com contains jquery.ajax(url:xyz.mydomain.com) call
Most likely it prevents you from firing a request because it things you are trying to access another domain. xyz.mydomain.com !== mydomain.com.
Why that is not allowed?
Read
Use a Web Proxy for Cross-Domain XMLHttpRequest Calls
Why the cross-domain Ajax is a security concern?
An example to why this is a security issue, assume you installed a bad plugin to your browser. If that plugin got the permission, it can read all loaded files to your browser and be able to edit/change/inject content and codes. Then it might send all collected data to designer own server.
... The most common business needs that are easily accomplished with browser plug-ins are: modify default search, add side frames, inject new content into existing webpage ...more
A good practice is to fetch the data thru ajax via JSON, if you are trying to access another site beside the one the script is calling from, then use JSON-P.
Read
JSON-P
JSON-P call to subdomain
Chrome ajax call to subdomain
A common architecture is to call the current domain that the script is loaded from, then use server script to fetch data from the other domain where the other domain will response to the request and return the data.
A code snippets of your function will help us understand your issue more.
I'm looking at CSRF prevention, and I have a question about a GET URL that returns JSON, and whether or not the data returned by that URL could be accessed via a third-party web-page.
For example, supposing this request
GET HTTP 1.1 /rest/foo.js
Host: myhost.com
Returns the dynamically-generated JSON as follows, with a per-session CSRF token:
{user:"My name", userId:1234, CSRFToken: "EFB8765AC2134ACB23486"}
Note that this is not a JSONP request. Now, suppose I have a web-page at sneakythirdparty.com that reads as follows:
<html>
<head>
<script language="javascript" src="http://myhost.com/rest/foo.js" />
</head>
...
</html>
My question is: Could a script, Flash applet or anything else in the page of a third-party website such as this one read the source code of foo.js to obtain the CSRF token?
You don't have to hide your CSRF Token
The all purpose of CSRF Protection is just to make sure that requests to your site actually did come from your site (or other site that you can give them authorization).
So I really don't understand what your are trying to achieve in your example:
If you want to block foo.js from calling from another server you have to obligate people to send the CSRF token when requesting that file, then you check in the server that this token actually match a session key for example set earlier that verifies that user did actually came from your site initially.
If the json {user:"My name", userId:1234, CRSFToken: "EFB8765AC2134ACB23486"} is written in this javascript statically then you are misunderstanding the all concept of CSRF protection.
You have to create the token dynamically according to some user unique data(can be data from the database, can be session id etc...) and then pass the token around your site and block requests to your pages that you want to protect if this token is not valid/exists.
CSRF protection can be done in regular forms and in ajax call - just how you choose it to be
Good Explanation
Yes, the <script> tag is there for all to see.
For example:
var nodes = document.querySelectorAll("script");
var i;
for (i = 0; i < nodes.length; i++) {
if (nodes[i].hasAttribute('src'))
console.log(nodes[i].attributes["src"].value);
}
Just do a simple XMLHttpRequest to get the source and get the CRSFToken.
Edit:
This approach depends on CORS support and relies on the assumption that two requests from the same client (using the same cookies) to myhost.com will respond with the same CRSFToken.
If either of the above do not hold, this approach will not work. If an "external" process (like Flash or Java) have access to the same cookies, they could theoretically mimic the request and get the CSRFToken (assuming the second condition above holds).
Aside from this, if you don't trust the user (or the user's computer), it is possible to grab the CSRFToken from memory, but this seems a bit out of scope for your question.
I want to pass some textbox value strictly using POST from one html page to another...
how can this be done without using any server side language like asp.net or php
can it be done using javascript??
thnx
You can't read POST data in any way on javascript so this is not doable.
Here you can find similar questions:
http://forums.devshed.com/javascript-development-115/read-post-data-in-javascript-1172.html
http://www.sitepoint.com/forums/showthread.php?454963-Getting-GET-or-POST-variables-using-JavaScript
This reading can also be interesting: http://en.wikipedia.org/wiki/POST_%28HTTP%29
This expecially suggests why this answer (wikipedia is the source):
GET
Requests a representation of the specified resource. Requests using GET should only retrieve data and should have no other effect.
(This is also true of some other HTTP methods.)[1] The W3C has
published guidance principles on this distinction, saying, "Web
application design should be informed by the above principles, but
also by the relevant limitations."[10] See safe methods below.
POST
Submits data to be processed (e.g., from an HTML form) to the identified resource. The data is included in the body of the request.
This may result in the creation of a new resource or the updates of
existing resources or both.
POST data is added to the request. When you do a GET request the data is added to the url, and that's why you can access it through javascript (and that's why it's not parsed and you have to do it manually). Instead, POST send data directly into the http requests, which is not seen in any way by the html page (which is just a part of what is sent through the http request).
That said, only server side language will receive the full HTTP request, and definitely you can' access it by javascript.
I'm sorry but that is the real answer
ASP .NET is allowed
Storing the values in hidden input fields is allowed
Query String is not allowed
POST request is not allowed
It is possible to store JS variables between GET requests ?
I want to reinitialize them on the client using ClientScript.RegisterStartupScript
Can I use cookies for this ?
Are there other posibilities?
Where cookies are stored when Request is made ?
Can I use cookies for this ?
Yes, see this tutorial on using cookies in Javascript.
Are there other posibilities?
If you are not allowed to append anything the URL of your requests, I can't come up with any.
Where cookies are stored when Request is made ?
In the HTTP request header. The aforementioned tutorial will tell you how to read their values from Javascript. On the server side with ASP.Net, you can read cookie values using Request.Cookie["cookieName"] which returns an instance of HttpCookie.
I wouldn't highly recommend this, but the other option is to alter the window.name property.
You can save some minor bits of data here, then retrieve them on the next page load.
Pros:
Quick-n-dirty, but works
Cons:
Messes up any window references for popups/child iframes
Since its a "hack", browser vendors may break this "feature" in the future
Of course if you can exclude all the old browsers, then use Global/Client Session Storage!
At the moment using cookies is your best bet. You can serialize the JavaScript objects to strings, and unserialize them back into objects later. A good choice format is JSON, since it is a subset of JavaScript.
There is also storing objects in Flash.
Storing in Google Gears.
DomStorage
See this library that has an interface to each:
http://pablotron.org/?cid=1557
If you are in control of all aspects of the page, then you can also wrap the page in a top level frame. Then only refresh the child frame. You can then store content in the parent frame.
You can see this used in sites like GMail, and others where the only thing that changes in the URL is outside the #.
You don't even have to change the URL, that part is just put in for Human Friendly URLs. (So you can actually copy and paste URLs as is).