[security-dev] CSRF and json

Bruno Oliveira bruno at abstractj.org
Mon May 5 22:25:19 EDT 2014

Good morning Bill

On 2014-05-05, Bill Burke wrote:
> If you have a JSON based web-service is it still vulnerable to CSRF
> requests?  CORS should be one protection.  For cross domain FORM posts,

They are, if you don't have checks for the content type.

> if the json service checks the media type for application/json it should
> abort the request, correct?

If you want to follow strictly the specification
(http://www.w3.org/TR/cors/#cross-origin-request-status). I would say,
yes, they just abort with "network error".

If you want to mitigate CSRF and other web vulnerabilities, my suggestion
is the CSP specification (http://www.w3.org/TR/CSP11/).

> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev



More information about the security-dev mailing list