[security-dev] CSRF and json

Pedro Igor Silva psilva at redhat.com
Tue May 6 08:27:30 EDT 2014


Also, one of the most popular protection is a CSRF Token. This page can be useful.

https://developer.mozilla.org/en/Persona/Security_Considerations

----- Original Message -----
From: "Bruno Oliveira" <bruno at abstractj.org>
To: "Bill Burke" <bburke at redhat.com>
Cc: security-dev at lists.jboss.org
Sent: Monday, May 5, 2014 11:25:19 PM
Subject: Re: [security-dev] CSRF and json

Good morning Bill

On 2014-05-05, Bill Burke wrote:
> If you have a JSON based web-service is it still vulnerable to CSRF
> requests?  CORS should be one protection.  For cross domain FORM posts,

They are, if you don't have checks for the content type.

> if the json service checks the media type for application/json it should
> abort the request, correct?

If you want to follow strictly the specification
(http://www.w3.org/TR/cors/#cross-origin-request-status). I would say,
yes, they just abort with "network error".

If you want to mitigate CSRF and other web vulnerabilities, my suggestion
is the CSP specification (http://www.w3.org/TR/CSP11/).


>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev

--

abstractj
_______________________________________________
security-dev mailing list
security-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev


More information about the security-dev mailing list