views:

283

answers:

3

Hi,

I'm trying to 'AJAX-ify' my site in order to improve the UI experience. In terms of performance, I'm also trying to get rid of the UpdatePanel. I've come across a great article over at Encosia showing a way of posting using PageMethods. My question is, how secure are page methods in a production environment? Being public, can anyone create a JSON script to POST directly to the server, or are there cross-domain checks taking place? My PageMethods would also write the data into the database (after filtering).

I'm using Forms Authentication in my pages and, on page load, it redirects unauthenticated users to the login page. Would the Page Methods on this page also need to check authentication if the user POSTs directly to the method, or is that authentication inherited for the entire page? (Essentially, does the entire page cycle occur even if a user has managed to post only to the PageMethod)?

Thanks

+1  A: 

You're trying to protect against CSRF attacks.

These attacks can be prevented by requiring an authorization code in the POST parameters, and supplying the auth code in the initial page load. (The auth code should be per-IP address and per-user, and should expire quickly)

For added security, you can make each auth-code only usable once, and have each request return a new auth-code. (However, if any request fails, you'll need to reload the page)

SLaks
Thanks for the help. To clarify, when the page loads, I should generate a code using data such as IP/Session etc... The user then sends a POST request. How do I get the relevant information into the POST parameter from the client side? Is it simply a case of using javascript to get the IP/User-agent info and placing that in the parameters?
keyboardP
@TenaciousImply - I don't think simple CSRF/XSS are a concern in this situation.
Sky Sanders
@TenaciousImpy: The I meant that the auth-code should only work for a single IP address/user (eg, a secure hash). However, I believe that Sky Sanders is correct and this is not a concern.
SLaks
+2  A: 

PageMethods are as secure as the handler in which they reside.

FormsAuthentication will protect everything except the Login page.

On an unprotected handler, like login, you should expose only methods that 1) are not sensitive or 2) validate the user.

EDIT: in response to comments and other answers regarding CSRF and XSS please see http://weblogs.asp.net/scottgu/archive/2007/04/04/json-hijacking-and-how-asp-net-ajax-1-0-mitigates-these-attacks.aspx

Sky Sanders
You're ignoring CSRF.
SLaks
@Slaks - I don't think so. REST methods require application/json content-type. You cannot accomplish this with a CSRF or XSS exploit. It took me a while to track down some corroborating evidence - see http://weblogs.asp.net/scottgu/archive/2007/04/04/json-hijacking-and-how-asp-net-ajax-1-0-mitigates-these-attacks.aspx
Sky Sanders
Hi Sky Sanders. My PageMethod is designed to allow users to update their profile settings. I'm always using POST (even when retrieving data) and ensuring that the contentType is set. The Page Handler is a standard .aspx handler, where IsAuthenticated is checked at page load. When you say FormsAuthentication will protect everything except the login page, does that mean that the IsAuthenticated (in page load) will be inherited by the Page Method, since they're both on the same page?
keyboardP
@TenaciousImply - Access to a PageMethod requires, indirectly, processing of the page containing it, so if the page is protected by FormsAuthentication only authenticated request will be processed. You mention using Request.IsAuthenticated in page_load. This is unnecessary as only authenticated request will be able to access the page. As far as login.aspx goes you should always assume the request is NOT authenticated and only expose non-sensitive data/methods.
Sky Sanders
Ah that makes sense. Thanks for the help!
keyboardP
A: 

Think of Pagemethods like a mini webservie local to the page. The fact is they will have no extra checks and verifications in place except those that are placed on the entire website, and those that you choose to put in.

Using Pagemethods is a smart idea from the point of view of 'Encapsulation', and if you're going to use them it doesn't hurt trying to put in some extra security measures in place.

Cyril Gupta