Republished with Permission - Original
Article
Recently some reports have been issued by security
researchers describing ways hackers can use the JSON wire format used by most
popular AJAX frameworks to try and exploit cross domain scripts within
browsers. Specifically, these attacks use HTTP GET requests invoked
via an HTML <script src=""> include element to
circumvent the "same origin policy" enforced by browsers (which
limits JavaScript objects like XmlHttpRequest to only calling URLs on the same
domain that the page was loaded from), and then look for ways to exploit the
JSON payload content.
ASP.NET AJAX 1.0 includes a number of default settings and
built-in features that prevent it from being susceptible to these types of JSON
hijacking attacks. Below are some details of how these attacks are mitigated:
ASP.NET AJAX Web Methods do not enable HTTP GET
requests by default
Script files loaded via an HTML <script
src=""> element within a browser can only be retrieved via HTTP
GET verb requests.
By default ASP.NET AJAX's web services layer does not allow
web methods to be invoked via the HTTP GET verb. For example, assume a
developer writes a web service method like below:
Listing 1
[WebMethod]
public StockQuote[] GetQuotes(string symbol) {
}
ASP.NET will only allow the above GetQuotes method to be called
via the HTTP POST verb, and will reject all attempts to invoke the method via
an HTTP GET verb.
To make an ASP.NET AJAX web-method callable via HTTP
GET-access, a developer must explicitly attribute each method using ASP.NET's
ScriptMethod attribute (and set the UseHttpGet property to true):
Listing 2
[WebMethod]
[ScriptMethod(UseHttpGet=true)]
public StockQuote[] GetQuotes(string symbol) {
}
Although this type of modification is easy to make, it
requires a developer to intentionally GET enable a web service. ASP.NET AJAX
web services can never be non-deliberately GET enabled, and the
ASP.NET AJAX documentation explicitly recommends against GET enabling web-service end points for
a number of reasons (risk of url tampering being one of them).
Note: the ASP.NET AJAX "UpdatePanel" control, as
well as the other server controls that ship with ASP.NET AJAX 1.0, do not use
HTTP GET and instead use HTTP POSTs when doing asynchronous postbacks.