Re: [security-dev] CSRF and json
But you can still forge the content-type, right ? XHR-based CSRF attacks ...
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Pedro Igor Silva" <psilva(a)redhat.com>
Cc: "Bruno Oliveira" <bruno(a)abstractj.org>, security-dev(a)lists.jboss.org
Sent: Tuesday, May 6, 2014 10:39:41 AM
Subject: Re: [security-dev] CSRF and json
Well, the endpoints are resteasy. If the content-type is not
application/json, then resteasy returns a 415.
On 5/6/2014 9:27 AM, Pedro Igor Silva wrote:
I see. IMO, check the content type makes more difficult because the
content type would be text/plain or any other. But you`re still vulnerable.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Pedro Igor Silva" <psilva(a)redhat.com>, "Bruno Oliveira"
<bruno(a)abstractj.org>
Cc: security-dev(a)lists.jboss.org
Sent: Tuesday, May 6, 2014 9:37:18 AM
Subject: Re: [security-dev] CSRF and json
Yeah, knew about the token. Was looking to avoid using it though.
On 5/6/2014 8:27 AM, Pedro Igor Silva wrote:
> Also, one of the most popular protection is a CSRF Token. This page can be useful.
>
> https://developer.mozilla.org/en/Persona/Security_Considerations
>
> ----- Original Message -----
> From: "Bruno Oliveira" <bruno(a)abstractj.org>
> To: "Bill Burke" <bburke(a)redhat.com>
> Cc: security-dev(a)lists.jboss.org
> Sent: Monday, May 5, 2014 11:25:19 PM
> Subject: Re: [security-dev] CSRF and json
>
> Good morning Bill
>
> On 2014-05-05, Bill Burke wrote:
>> If you have a JSON based web-service is it still vulnerable to CSRF
>> requests? CORS should be one protection. For cross domain FORM posts,
>
> They are, if you don't have checks for the content type.
>
>> if the json service checks the media type for application/json it should
>> abort the request, correct?
>
> If you want to follow strictly the specification
> (http://www.w3.org/TR/cors/#cross-origin-request-status). I would say,
> yes, they just abort with "network error".
>
> If you want to mitigate CSRF and other web vulnerabilities, my suggestion
> is the CSP specification (http://www.w3.org/TR/CSP11/).
>
>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> security-dev mailing list
>> security-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/security-dev
>
> --
>
> abstractj
> _______________________________________________
> security-dev mailing list
> security-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com