tags:

views:

1635

answers:

3
+3  Q: 

Block cross domain calls to asp.net .asmx web service

Hi

I've built an application that uses jQuery and JSON to consume an ASP.NET .asmx web service to perform crud operations. The application and .asmx are on the same domain. I dont mind people consuming the read operations of the .asmx remotely but dont want people randomly deleting stuff!!!

I can split the methods i'd like to be publicly accessible and the 'hidden' ones into 2 web services. How can I lock calls to the 'hidden'.asmx web service to the same domain that its hosted in?

Thanks in advance.

Edit: Can someone comment on this, seems plausible ( source: http://www.slideshare.net/simon/web-security-horror-stories-presentation ): Ajax can set Http headers, normal forms cant. Ajax requests must be from the same domain.

So "x-requested-with" "XMLHttpRequest" requests must be from the same domain.

A: 

In AJAX the browser makes the calls, so even if you were to check that the domain is the same it wouldnt be secure enough because it can easily be faked.

You need to use some sort of authetication/autharization tokens (preferably with a time out) to keep things safe.

Sruly  2009-03-07 20:58:40
can you elaborate? how could i the token system you mention?
jdee  2009-03-07 21:02:00
>that should be 'how could i create the token system you mention?' thanks
jdee  2009-03-07 21:02:32
You have to issue a key that the ajax has to send back when the user requests a crud operation. This key should expire after a short period of time, this way only pages that were generated from your server have the key and can perform the operations
Sruly  2009-03-07 21:09:20
There are probably frameworks for this but I dont know of any.
Sruly  2009-03-07 21:09:51
hmm still no clearer. I understand what you are saying but there are so many questions left that I cant close this question out. what issues the key? the web service? how can the webservice be sure the key requester is legit?
jdee  2009-03-07 23:21:33
The web service issues the key. It can be sure the initaial request is legit because it is the regular http request for the page. in the page you can use all the regular auth stuff. Then when you are sure of the legit request you issue a key that gets stored on the client for a limited time span
Sruly  2009-03-07 23:37:49
and the page stores the key in a hidden field and gets posted to the server with each request? whats to stop someone just parsing out the key and fake submitting it? thanks very much for sharing your expertise by the way!
jdee  2009-03-07 23:52:48
I presume the web service has to keep track of the keys it has issued too, and manage the timeouts of those keys?
jdee  2009-03-07 23:56:46
Sruly, a good answer and definitely in the right direction, but I think an expiring key is unnecessary.
Peter J  2009-03-08 07:10:13
A: 

Quick and dirty solution would be to use IP address restrictions to allow only your domain's IP address access via IIS.

Probably better would be using HTTP authentication. There are many ways to do this, I found Authentication in ASP.NET Web Services a helpful overview.

eddiegroves  2009-03-07 21:00:33
+5  A: 

There are two scenarios you need to secure with web services:

  1. Is the user authenticated?
  2. Is the action coming from my page?

The authentication piece is already taken care of if you're using Forms Authentication. If your web service sits in a Forms Authentication-protected area of the site, nobody will be able to access your web services unless they're logged in.

The second scenario is a slightly trickier story. The attack is known as CSRF or XSRF (Cross Site Request Forgery). This means that a malicious website performs actions on behalf of your user while they're still logged in to your site. Here's a great writeup on XSRF.

Jeff Atwood sort of sums it all up in the link above, but here is XSRF protection in four steps:

  1. Write a GUID to your user's cookie.
  2. Before your AJAX call, read this value out of the cookie and add it to the web service POST.
  3. On the server side, compare the FORM value with the cookie value.
  4. Because sites cannot read cookies from another domain, you're safe.
Peter J  2009-03-08 06:57:25

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps