tags:

views:

283

answers:

3
+2  Q: 

PageMethods security

Hi,

I'm trying to 'AJAX-ify' my site in order to improve the UI experience. In terms of performance, I'm also trying to get rid of the UpdatePanel. I've come across a great article over at Encosia showing a way of posting using PageMethods. My question is, how secure are page methods in a production environment? Being public, can anyone create a JSON script to POST directly to the server, or are there cross-domain checks taking place? My PageMethods would also write the data into the database (after filtering).

I'm using Forms Authentication in my pages and, on page load, it redirects unauthenticated users to the login page. Would the Page Methods on this page also need to check authentication if the user POSTs directly to the method, or is that authentication inherited for the entire page? (Essentially, does the entire page cycle occur even if a user has managed to post only to the PageMethod)?

Thanks

+1  A: 

You're trying to protect against CSRF attacks.

These attacks can be prevented by requiring an authorization code in the POST parameters, and supplying the auth code in the initial page load. (The auth code should be per-IP address and per-user, and should expire quickly)

For added security, you can make each auth-code only usable once, and have each request return a new auth-code. (However, if any request fails, you'll need to reload the page)

SLaks  2010-03-21 01:15:56
Thanks for the help. To clarify, when the page loads, I should generate a code using data such as IP/Session etc... The user then sends a POST request. How do I get the relevant information into the POST parameter from the client side? Is it simply a case of using javascript to get the IP/User-agent info and placing that in the parameters?
keyboardP  2010-03-21 14:38:11
@TenaciousImply - I don't think simple CSRF/XSS are a concern in this situation.
Sky Sanders  2010-03-21 15:02:03
@TenaciousImpy: The I meant that the auth-code should only work for a single IP address/user (eg, a secure hash). However, I believe that Sky Sanders is correct and this is not a concern.
SLaks  2010-03-21 15:08:50
+2  A: 

PageMethods are as secure as the handler in which they reside.

FormsAuthentication will protect everything except the Login page.

On an unprotected handler, like login, you should expose only methods that 1) are not sensitive or 2) validate the user.

EDIT: in response to comments and other answers regarding CSRF and XSS please see http://weblogs.asp.net/scottgu/archive/2007/04/04/json-hijacking-and-how-asp-net-ajax-1-0-mitigates-these-attacks.aspx

Sky Sanders  2010-03-21 01:19:48
You're ignoring CSRF.
SLaks  2010-03-21 14:06:30
@Slaks - I don't think so. REST methods require application/json content-type. You cannot accomplish this with a CSRF or XSS exploit. It took me a while to track down some corroborating evidence - see http://weblogs.asp.net/scottgu/archive/2007/04/04/json-hijacking-and-how-asp-net-ajax-1-0-mitigates-these-attacks.aspx
Sky Sanders  2010-03-21 14:56:32
Hi Sky Sanders. My PageMethod is designed to allow users to update their profile settings. I'm always using POST (even when retrieving data) and ensuring that the contentType is set. The Page Handler is a standard .aspx handler, where IsAuthenticated is checked at page load. When you say FormsAuthentication will protect everything except the login page, does that mean that the IsAuthenticated (in page load) will be inherited by the Page Method, since they're both on the same page?
keyboardP  2010-03-21 16:02:58
@TenaciousImply - Access to a PageMethod requires, indirectly, processing of the page containing it, so if the page is protected by FormsAuthentication only authenticated request will be processed. You mention using Request.IsAuthenticated in page_load. This is unnecessary as only authenticated request will be able to access the page. As far as login.aspx goes you should always assume the request is NOT authenticated and only expose non-sensitive data/methods.
Sky Sanders  2010-03-21 16:23:43
Ah that makes sense. Thanks for the help!
keyboardP  2010-03-21 16:49:43
A: 

Think of Pagemethods like a mini webservie local to the page. The fact is they will have no extra checks and verifications in place except those that are placed on the entire website, and those that you choose to put in.

Using Pagemethods is a smart idea from the point of view of 'Encapsulation', and if you're going to use them it doesn't hurt trying to put in some extra security measures in place.

Cyril Gupta  2010-03-21 01:23:18

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps