[security-dev] CSRF and json

Bill Burke bburke at redhat.com
Tue May 6 09:48:19 EDT 2014 

Aren't XHR-based attacks covered by CORS?

On 5/6/2014 9:44 AM, Pedro Igor Silva wrote:
> But you can still forge the content-type, right ? XHR-based CSRF attacks ...
>
> ----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Pedro Igor Silva" <psilva at redhat.com>
> Cc: "Bruno Oliveira" <bruno at abstractj.org>, security-dev at lists.jboss.org
> Sent: Tuesday, May 6, 2014 10:39:41 AM
> Subject: Re: [security-dev] CSRF and json
>
> Well, the endpoints are resteasy.  If the content-type is not
> application/json, then resteasy returns a 415.
>
>
> On 5/6/2014 9:27 AM, Pedro Igor Silva wrote:
>> I see. IMO, check the content type makes more difficult because the content type would be text/plain or any other. But you`re still vulnerable.
>>
>> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: "Pedro Igor Silva" <psilva at redhat.com>, "Bruno Oliveira" <bruno at abstractj.org>
>> Cc: security-dev at lists.jboss.org
>> Sent: Tuesday, May 6, 2014 9:37:18 AM
>> Subject: Re: [security-dev] CSRF and json
>>
>> Yeah, knew about the token.  Was looking to avoid using it though.
>>
>> On 5/6/2014 8:27 AM, Pedro Igor Silva wrote:
>>> Also, one of the most popular protection is a CSRF Token. This page can be useful.
>>>
>>> https://developer.mozilla.org/en/Persona/Security_Considerations
>>>
>>> ----- Original Message -----
>>> From: "Bruno Oliveira" <bruno at abstractj.org>
>>> To: "Bill Burke" <bburke at redhat.com>
>>> Cc: security-dev at lists.jboss.org
>>> Sent: Monday, May 5, 2014 11:25:19 PM
>>> Subject: Re: [security-dev] CSRF and json
>>>
>>> Good morning Bill
>>>
>>> On 2014-05-05, Bill Burke wrote:
>>>> If you have a JSON based web-service is it still vulnerable to CSRF
>>>> requests?  CORS should be one protection.  For cross domain FORM posts,
>>>
>>> They are, if you don't have checks for the content type.
>>>
>>>> if the json service checks the media type for application/json it should
>>>> abort the request, correct?
>>>
>>> If you want to follow strictly the specification
>>> (http://www.w3.org/TR/cors/#cross-origin-request-status). I would say,
>>> yes, they just abort with "network error".
>>>
>>> If you want to mitigate CSRF and other web vulnerabilities, my suggestion
>>> is the CSP specification (http://www.w3.org/TR/CSP11/).
>>>
>>>
>>>>
>>>> --
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>>>> http://bill.burkecentral.com
>>>> _______________________________________________
>>>> security-dev mailing list
>>>> security-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/security-dev
>>>
>>> --
>>>
>>> abstractj
>>> _______________________________________________
>>> security-dev mailing list
>>> security-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/security-dev
>>>
>>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the security-dev mailing list