JSON Hijacking and How ASP.NET AJAX 1.0 Avoids these Attacks: ASP Alliance

Print Add To Favorites Email To Friend Rate This Article
JSON Hijacking and How ASP.NET AJAX 1.0 Avoids these Attacks

page 1 of 4

Published: 04 Apr 2007

Unedited - Community Contributed

Abstract
In this article, scott examines how ASP.NET AJAX 1.0 avoids JSON hijacking.

by Scott Guthrie
Feedback

Average Rating:

Views (Total / Last 10 Days): 29127/ 36

Article Contents:

Introduction

Republished with Permission - Original Article

Recently some reports have been issued by security researchers describing ways hackers can use the JSON wire format used by most popular AJAX frameworks to try and exploit cross domain scripts within browsers. Specifically, these attacks use HTTP GET requests invoked via an HTML <script src=""> include element to circumvent the "same origin policy" enforced by browsers (which limits JavaScript objects like XmlHttpRequest to only calling URLs on the same domain that the page was loaded from), and then look for ways to exploit the JSON payload content.

ASP.NET AJAX 1.0 includes a number of default settings and built-in features that prevent it from being susceptible to these types of JSON hijacking attacks. Below are some details of how these attacks are mitigated:

ASP.NET AJAX Web Methods do not enable HTTP GET requests by default

Script files loaded via an HTML <script src=""> element within a browser can only be retrieved via HTTP GET verb requests.

By default ASP.NET AJAX's web services layer does not allow web methods to be invoked via the HTTP GET verb. For example, assume a developer writes a web service method like below:

Listing 1

[WebMethod]
 public StockQuote[] GetQuotes(string symbol) {
 }

ASP.NET will only allow the above GetQuotes method to be called via the HTTP POST verb, and will reject all attempts to invoke the method via an HTTP GET verb.

To make an ASP.NET AJAX web-method callable via HTTP GET-access, a developer must explicitly attribute each method using ASP.NET's ScriptMethod attribute (and set the UseHttpGet property to true):

Listing 2

[WebMethod] 
 [ScriptMethod(UseHttpGet=true)] 
 public StockQuote[] GetQuotes(string symbol) { 
 }

Although this type of modification is easy to make, it requires a developer to intentionally GET enable a web service. ASP.NET AJAX web services can never be non-deliberately GET enabled, and the ASP.NET AJAX documentation explicitly recommends against GET enabling web-service end points for a number of reasons (risk of url tampering being one of them).

Note: the ASP.NET AJAX "UpdatePanel" control, as well as the other server controls that ship with ASP.NET AJAX 1.0, do not use HTTP GET and instead use HTTP POSTs when doing asynchronous postbacks.