Reputation:
Securing a Web Method
Say I've got a method in c# MVC to send email with ajax, like:
public class mailController : Controller {
SmtpClient mailserver = new SmtpClient("smtp.foo.com");
public string send(string from, string to, string subject = "", string body = "", string cc = "", string bcc = "") {
MailMessage message = new MailMessage(from, to, subject, body);
if (cc.Length > 0) {
message.CC.Add(cc);
}
if (bcc.Length > 0) {
message.Bcc.Add(bcc);
}
mailserver.Send(message);
return "MessageSent";
}
}
Is there anything I can do to make this more secure? I mean, as it stands anyone can type the relevant info into their address bar. http://www.foo.com/mail/send?from=etc If I want to use this for form submission, I can't password protect it, or I'd have to use that in the javascript, which is easy to find. I considered setting a cookie and using that as authentication, but that only goes so far. Is there a standard procedure for protecting ajax methods?
Upvotes: 0
Views: 599
Answers (4)
Reputation: 79
As a start you can always store the IP that accessed your controller, if same IP is trying to send mail in specific frequency that you define you can deside to block it ot whatever... at second you can generate a random number in your mailing page that will be send to the controller -> this will allow you to verify that the mail is sent from your site and not from third party
Upvotes: 0
Reputation: 4621
Your requirements sound mutually exclusive.
If you do want to leave it public, but you don't want it abused, then maybe you could provide some sort of throttle where you only allow x number of requests from a specific IP address.
You can also use mailto: in an HTMLform to prompt the client to send the email.
Upvotes: 0
Reputation: 71384
You need to implement a secure session token, to prevent unauthorized users (those without valid sessions) from being able to send an email. This is basically no different than any other cross site request forgery (CSRF) attack vector. If you need any additional information just Google 'CSRF protection ASP.NET`' or similar to get some more concrete examples of how to do this.
Upvotes: 0
Reputation: 887479
You need to validate on the server that the parameters are what you want them to be.
Upvotes: 2
Related Questions
- Securing ajax calls in a ASP.NET MVC application
- How "secure" is the ASP .NET Controller
- Securing Webmethods
- Securing web method on a public web app
- How do I allow access to a method in MVC?
- Securing JSON and ASP.NET MVC2
- How can I secure my ASP.NET AJAX application?
- securing an asp.net web service for use with jquery ajax
- How to secure AJAX request in ASP.NET?
- Securing ajax calls