Search code examples
javascriptasp.netweb-servicessecuritycsrf

Security issue with WebService [Get] Requests?

After reading the famous (and only) article about trying to explain why asmxs should NOTallow Get requests so we shouldn't use : [ScriptMethod(UseHttpGet = true)] , I still I have a question :

Why ?

Web service , as its name is a service , he doesn't suppose to care if it's GET or POST :

Even if a person do a CSRF : like embedding in his malicious site :

<script type="text/javascript" src="http://contoso.com/StockService/Stock.asmx/GetQuotes?symbol=msft" />

so what ?

Via asmx POV - it is just a normal request.

Can someone please spot for me the problem with example ?

edit

there are many problems solved with new browsers. this link shows some other methods which should be tested in new browsers.

Solution

  • JSON hijacking is briefly explained in this article.

    Let's suppose that you have a web service that returns a list of credit card numbers to the currently authenticated user:

    [{"id":"1001","ccnum":"4111111111111111","balance":"2345.15"},
 {"id":"1002","ccnum":"5555555555554444","balance":"10345.00"},
 {"id":"1003","ccnum":"5105105105105100","balance":"6250.50"}]

    Here's how the attack could be performed:

    1. Get an authenticated user to visit a malicious page.

    2. The malicious page will try and access sensitive data from the application that the user is logged into. This can be done by embedding a script tag in an HTML page since the same-origin policy does not apply to script tags. <script src="http://<json site>/json_server.php"></script>. The browser will make a GET request to json_server.php and any authentication cookies of the user will be sent along with the request.

    3. At this point while the malicious site has executed the script it does not have access to any sensitive data. Getting access to the data can be achieved by using an object prototype setter. In the code below an object prototypes property is being bound to the defined function when an attempt is being made to set the "ccnum" property.

      Object.prototype.__defineSetter__('ccnum',function(obj) {
    secrets = secrets.concat(" ", obj); 

});

    At this point the malicious site has successfully hijacked the sensitive financial data (ccnum) returned by json_server.php.

    There are also other forms of JSON hijacking techniques which do not rely on the browser support for the __defineSetter__ function. That's just one way to conduct the attack but there are many others as described in this article such as Array constructor clobbering, UTF-7, ES5 functionality.

    For this reason, GET requests returning JSON are disabled by default in ASP.NET.