Reputation: 2866
Securing JSON services
I have a website that heavily uses JSON calls from jQuery to web services hosted in the same web domain. Many calls are made from the public pages that don't require visitors to login.
It appears that I can replay these JSON calls using Fiddler, which is a big problem, since now a malicious user can capture a Fiddler trace just by opening my site and then, all bets are off, who knows what he/she can do.
Is there a way to secure a web service, so only those JSON calls that are made from the site's pages are allowed on the server? I am using ASP.NET MVC on the backend.
Thank you.
Thank you all for contributing to this topic. I have a follow up question:
What about SSL? If I placed all my services in a folder secured with SSL, would that be a catch-all solution (at the expense of performance)? Thanks.
Upvotes: 1
Views: 2456
Answers (4)
Reputation: 3442
Regarding the follow-up question:
SSL only secures the connection between the browser and your server, i.e. nobody can inspect the communication between the two. (A man in a middle for example who might change the content of the call along the way.) It doesn't prevent an attacker to make his own JSON calls. The difference will be that his calls are encrypted and cannot be inspected by anyone else but your server.
Upvotes: 0
Reputation: 3442
There are multiple ways to check the validness of a JSON call and each gives you multiple level of security:
- Check that the
RefererHTTP-header contains the URL of your site. That gives you basic security so your calls won't be accessible for regular users through Fiddle, for example - If the content of the JSON was generated server side, then you can sign the json content so only those calls will be accepted that you have previously generated at server side. Check out JSON Web Token (JWT) for example.
- If the JSON content was not generated at server side, you can still issue one time "tickets" that has to be present along each JSON call. You have to check the validness of the ticket at server side, and that the ticket was used only once.
Upvotes: 0
Reputation: 8401
I would suggest to authenticate each JSON service request. Ex- Passing a access_token
Each service request must be verified against the user accessing. Does he have the right to access this service/data?
Same thing should be done for guest users. Only limited services/data should be exposed to guest user.
Take inspiration from facebook API.
Upvotes: 0
Reputation: 10880
The answer is No. The user can always simulate HTTP Requests made by the browser. So have to code your back end in such a way that it should be able to handle all the exceptions and malicious attempts.
Use nonce for all your requests. This might be tricky to implement but is the one of the most important thing that could come in my mind.
Track User Agent and negate all requests that come from non standard browsers.
Check Referrer and make sure it is coming for the expected page or atleast from the same domain
Include a tracking session/cookie variable to keep a track
However, all of these things can be evaded so the best bet is to make your back end system more secure to handle any user input.
Upvotes: 1
Related Questions
- Asp net mvc 5 add security to a jsonresult?
- How to secure a JsonResult?
- How to secure my webservices through JQuery/Javascript calls?
- Securing JSON and ASP.NET MVC2
- JSON Security
- How best to secure Json requests in Mvc app?
- Security Request for JSon Result in Asp.Net MVc
- securing an asp.net web service for use with jquery ajax
- How do you protect Web Services when using it as JSON via Jquery?
- Prevent direct access to JSON Web Service