Geek Answers Handbook

ASP.NET PageMethods and JQuery AJAX Post - How Safe Is It?

I have the following scenario - and what I'm really looking for is real help from real people. Suggestions / solutions? You are welcome.

I have an extranet website, for example. www.foo.com (asp.net 3.5) I use jQuery 1.3.2 to call ValidateLogin PageMethods on the default.aspx page (www.foo.com/default.aspx)

The code will look like this:

$.ajax({ type: "POST", contentType: "application/json; charset=utf-8", dataType: "json", url: "Default.aspx/ValidateLogin", data: '{' + arg + '}', success: function(data) { if (data.d != 0) { window.location = "http://www.google.com"; } else { alert("Invalid UserName/Password."); ResetLoginForm(); } }, error: function(xhr, status, error) { var strerror = xhr.status + error; alert("Error Communicating with Server:" + strerror); ResetLoginForm(); } });

The code is stored in an external js file. For ex default.js.

Since this site is publicly available, anyone can download the default.js file and thus take a look at the code above.

My question is: one day the user will receive this URL: "Default.aspx / ValidateLogin", he can make a request to the server, and the server will proudly respond to the request.

What are my options here? How can I check the request? How to prevent these unauthorized requests?

+4
source share
4 answers

Web requests by nature, public. They don’t even need to look at the source file. They could simply control HTTP requests and play back those requests (this is very simple with a tool like a violinist).

Throttling problem

Throttling solutions are truly not viable, although they will reduce the speed of attacks. The problem is that the adversary can write a script that runs for several days. Again, it can use a proxy to send concurrent requests. And if you choke for a username, then the adversary can achieve DoS by trying to mistakenly enter logins in the names of legitimate users and when the actual user tries to log in, he will not know why he is blocked.

Decision

A typical approach is to use nonce keys. This will require some additional work, but it will mitigate the problem, and it is only recommended if you really expect an onslaught of attacks or something like that. A simplified version of this will pass the nonce client key as a parameter to the URI request. First of all, the key is issued by the server to the client. After the request has been made, the server checks the nonce key in the database and resolves the requests. It immediately deletes the nonce key, so the user cannot make another request with the same nonce key, but then the server will need to give the user more nonce keys.

A simplified solution is to allow authenticated users to complete web service requests, but since you are developing a login system, this obviously does not work.

I would not worry about this if you do not have nasty opponents.

+4
source

I assume that you exposed your page method loading the session, so I assume that you can set the session variable when the page loads, and then check if it exists when the page method is called. This is not the safest thing in the world, but it will help.

Personally, I would not try to make it more secure, as others say, web services are inherently public.

+1
source

I would say that there are no problems; However, you probably want to do a "Speed ​​Limit" so that people cannot force the coarse to force it.

0
source

You can also place captcha after two unsuccessful login attempts that will avoid brute force.

0
source

More articles:


All Articles