Reputation: 12070
Block cross domain calls to asp.net .asmx web service
I've built an application that uses jQuery and JSON to consume an ASP.NET .asmx web service to perform crud operations. The application and .asmx are on the same domain. I dont mind people consuming the read operations of the .asmx remotely but dont want people randomly deleting stuff!!!
I can split the methods i'd like to be publicly accessible and the 'hidden' ones into 2 web services. How can I lock calls to the 'hidden'.asmx web service to the same domain that its hosted in?
Thanks in advance.
Edit: Can someone comment on this, seems plausible ( source: http://www.slideshare.net/simon/web-security-horror-stories-presentation ): Ajax can set Http headers, normal forms cant. Ajax requests must be from the same domain.
So "x-requested-with" "XMLHttpRequest" requests must be from the same domain.
Upvotes: 6
Views: 5197
Answers (3)
Reputation: 57958
There are two scenarios you need to secure with web services:
- Is the user authenticated?
- Is the action coming from my page?
The authentication piece is already taken care of if you're using Forms Authentication. If your web service sits in a Forms Authentication-protected area of the site, nobody will be able to access your web services unless they're logged in.
The second scenario is a slightly trickier story. The attack is known as CSRF or XSRF (Cross Site Request Forgery). This means that a malicious website performs actions on behalf of your user while they're still logged in to your site. Here's a great writeup on XSRF.
Jeff Atwood sort of sums it all up in the link above, but here is XSRF protection in four steps:
- Write a GUID to your user's cookie.
- Before your AJAX call, read this value out of the cookie and add it to the web service POST.
- On the server side, compare the FORM value with the cookie value.
- Because sites cannot read cookies from another domain, you're safe.
Upvotes: 8
Reputation: 34848
Quick and dirty solution would be to use IP address restrictions to allow only your domain's IP address access via IIS.
Probably better would be using HTTP authentication. There are many ways to do this, I found Authentication in ASP.NET Web Services a helpful overview.
Upvotes: -1
Reputation: 10540
In AJAX the browser makes the calls, so even if you were to check that the domain is the same it wouldnt be secure enough because it can easily be faked.
You need to use some sort of authetication/autharization tokens (preferably with a time out) to keep things safe.
Upvotes: -1
Related Questions
- Protect Web API from Cross-Origin requests
- Access-Control-Allow-Origin in asp.net web service
- How can I securely call a web service (.asmx) which is used for internal purposes from Jquery in a ASP.Net Web Forms application?
- jQuery ajax call to web service (asmx) triggers an authentication popup
- how to disable WebService call from other domains
- How to stop other website to send cross domain ajax requests?
- How to Secure ASP.NET Web API with Cross Domain AJAX Calls?
- securing an asp.net web service for use with jquery ajax
- How do you protect Web Services when using it as JSON via Jquery?
- Prevent direct access to JSON Web Service