jQuery ASP.NET MVC JSON call hackable?

Question

I have a basic JsonResult method that is being called by a jQuery $.ajax call in my view.

    [AcceptVerbs(HttpVerbs.Post)]
    public JsonResult DoWork(string param1)
    {
        // do something important 

        return Json();
    }

So my question is, could this method be called/hacked and passed erroneous data? Let's say it was to create a new user int the system. Could I fake out a call to this method? Should I some how be protecting this method using some kind of Anti-forgery token or anything?

Answer 1

Yes. This method can be called just like any other public controller action.

Answer 2

Yes, you should protect it. Anyone can call this method, and pass any value they want. You should always distrust the data you receive.

You could ofcourse secure it using the Authorize-attribute:

[Authorize(Roles='...')]

or use any other method to identify and authorize the user.

Edit:

I found an article with some more information about using the AntiForgeryToken in Ajax: http://www.sogeti-phoenix.com/Blogs/post/2009/05/MVC-ndash3b-Using-AntiForgeryToken-over-AJAX.aspx

I haven't tested this though.