Best IT Recipes

Are JSON web services vulnerable to CSRF attacks?

I am creating a web service that exclusively uses JSON for its request and response content (i.e. without encoded payload).

Is the web service vulnerable to a CSRF attack if the following is true:

  • Any POST request without a top-level JSON object, for example, {"foo":"bar"} , will be rejected from 400. For example, a POST request with content 42 will be rejected in this way.

  • Any POST request with a content type other than application/json will be rejected from 400. For example, a POST request with a content type application/x-www-form-urlencoded will be rejected in this way.

  • All GET requests will be safe and thus will not modify server data.

  • Clients are authenticated through session cookies that the web service provides them after they provide the correct username / password pair via POST with JSON data, for example. {"username":"user@example.com", "password":"my password"} .

Auxiliary question: are PUT and DELETE requests always vulnerable to CSRF? I ask because it seems that most (all?) Browsers prohibit these methods in HTML forms.

EDIT: Added item # 4.

EDIT: A lot of good comments and answers so far, but no one has offered a specific CSRF attack for which this web service is vulnerable.

+49
security csrf
Jun 13 2018-12-12T00:
source share
4 answers

Copying arbitrary CSRF requests with arbitrary media types is actually possible only when using XHR, since the form method and forms the body of the POST message is also limited to three formats application/x-www-form-urlencoded , multipart/form-data and text/plain . However, with data encoding of the text/plain form, you can still request requests containing valid JSON data .

Thus, the only threat comes from XHR-based CSRF attacks. And they will be successful only if they either

  • runs from the same source, so basically from your own website in some way (e.g. XSS) or
  • starts from another source and the server
+47
Jun 13 2018-12-12T00:
source share

I have some doubts about point 3. Although it can be considered safe because it does not change the data on the server side, the data can still be read, and the risk is that it can be stolen.

http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx/

-one
Mar 07 '14 at 17:34
source share

With Ajax, you can use CSRF for Restful JSON services. I tested this in an application (using both Chrome and Firefox). You must change the contentType to text / plain and the dataType to JSON in order to avoid a preflight check request. Then you can send the request, but to send sessiondata you need to set the withCredentials flag in your ajax request. I discuss this in more detail here (links included):

http://wsecblog.blogspot.be/2016/03/csrf-with-json-post-via-ajax.html

-one
Mar 18 '16 at 10:39
source share

Is the web service vulnerable to a CSRF attack if the following is true:

Yes. It is still HTTP.

Are PUT and DELETE requests ever vulnerable to CSRF?

Yes

it seems that most (all?) browsers prohibit these methods in HTML forms

Do you think the browser is the only way to make an HTTP request?

-6
Jun 13 2018-12-12T00:
source share


More articles:


All Articles