[security-dev] CSRF and json
bburke at redhat.com
Tue May 6 09:39:41 EDT 2014
Well, the endpoints are resteasy. If the content-type is not
application/json, then resteasy returns a 415.
On 5/6/2014 9:27 AM, Pedro Igor Silva wrote:
> I see. IMO, check the content type makes more difficult because the content type would be text/plain or any other. But you`re still vulnerable.
> ----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Pedro Igor Silva" <psilva at redhat.com>, "Bruno Oliveira" <bruno at abstractj.org>
> Cc: security-dev at lists.jboss.org
> Sent: Tuesday, May 6, 2014 9:37:18 AM
> Subject: Re: [security-dev] CSRF and json
> Yeah, knew about the token. Was looking to avoid using it though.
> On 5/6/2014 8:27 AM, Pedro Igor Silva wrote:
>> Also, one of the most popular protection is a CSRF Token. This page can be useful.
>> ----- Original Message -----
>> From: "Bruno Oliveira" <bruno at abstractj.org>
>> To: "Bill Burke" <bburke at redhat.com>
>> Cc: security-dev at lists.jboss.org
>> Sent: Monday, May 5, 2014 11:25:19 PM
>> Subject: Re: [security-dev] CSRF and json
>> Good morning Bill
>> On 2014-05-05, Bill Burke wrote:
>>> If you have a JSON based web-service is it still vulnerable to CSRF
>>> requests? CORS should be one protection. For cross domain FORM posts,
>> They are, if you don't have checks for the content type.
>>> if the json service checks the media type for application/json it should
>>> abort the request, correct?
>> If you want to follow strictly the specification
>> (http://www.w3.org/TR/cors/#cross-origin-request-status). I would say,
>> yes, they just abort with "network error".
>> If you want to mitigate CSRF and other web vulnerabilities, my suggestion
>> is the CSP specification (http://www.w3.org/TR/CSP11/).
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> security-dev mailing list
>>> security-dev at lists.jboss.org
>> security-dev mailing list
>> security-dev at lists.jboss.org
JBoss, a division of Red Hat
More information about the security-dev