CODEWITHSUNDEEP
c#asp.net-mvcsecurityjson.net
Samuel
Samuel

Reputation: 12341

JsonRequestBehavior equivalent in Json.Net with Asp.Net Mvc

Since ASP.NET MVC2, when you try to return a Json result without additional information, you get an error:

This request has been blocked because sensitive information could be disclosed to third party web sites when this is used in a GET request.

You must now set the property JsonRequestBehavior to the value AllowGet:

result.JsonRequestBehavior = JsonRequestBehavior.AllowGet;

I read on a post that this prevents hijacking.

I wanted to know if there is an equivalent with Json.Net to prevent this type of attack.

Here is my code to create the Json result:

  protected JsonNetResult JsonNet(object data)
  {
     JsonNetResult result = new JsonNetResult();

     result.Data = data;

     return result;
  }

And if you want to know where I found the JsonNetResult, here is a link.

Thank you very much.

Upvotes: 3

Views: 5037

Answers (1)

Darin Dimitrov
Darin Dimitrov

Reputation: 1038820

You don't need it because in the custom JsonNetResult that you have shown there's no such test. So you will never get an exception like the one you would get with the standard JsonResult if you invoke the action with GET.

If you wanted you could implement exactly the same property on your custom JsonNetResult property.

public class JsonNetResult : ActionResult
{
    public JsonNetResult()
    {
        SerializerSettings = new JsonSerializerSettings();
        JsonRequestBehavior = JsonRequestBehavior.DenyGet;
    }

    public JsonRequestBehavior JsonRequestBehavior { get; set; }
    ....

    public override void ExecuteResult(ControllerContext context)
    {
        if (context == null)
            throw new ArgumentNullException("context");

        var httpMethod = context.HttpContext.Request.HttpMethod;

        if (JsonRequestBehavior == JsonRequestBehavior.DenyGet && 
            string.Equals(httpMethod, "GET", StringComparison.OrdinalIgnoreCase))
        {
            throw new InvalidOperationException("You can't access this action with GET");
        }

        ...
    }
}

and if you wanted to explicitly allow this for a particular action:

protected ActionResult JsonNet(object data)
{
    JsonNetResult result = new JsonNetResult();
    result.JsonRequestBehavior = JsonRequestBehavior.AllowGet;
    result.Data = data;
    return result;
}

Upvotes: 4

Related Questions