2

I have a basic JsonResult method that is being called by a jQuery $.ajax call in my view.

    [AcceptVerbs(HttpVerbs.Post)]
    public JsonResult DoWork(string param1)
    {
        // do something important 

        return Json();
    }

So my question is, could this method be called/hacked and passed erroneous data? Let's say it was to create a new user int the system. Could I fake out a call to this method? Should I some how be protecting this method using some kind of Anti-forgery token or anything?

AstroCB
  • 12,337
  • 20
  • 57
  • 73
aherrick
  • 19,799
  • 33
  • 112
  • 188
  • Related: Hacking (or preventing) JSON hacks in MVC3 http://stackoverflow.com/questions/4914994/using-mvc3s-antiforgerytoken-in-http-get-to-avoid-javascript-csrf-vulnerability – makerofthings7 Feb 06 '11 at 20:19

2 Answers2

4

Yes, you should protect it. Anyone can call this method, and pass any value they want. You should always distrust the data you receive.

You could ofcourse secure it using the Authorize-attribute:

[Authorize(Roles='...')]

or use any other method to identify and authorize the user.

Edit:

Previous link wasn't working anymore. For more information about the anti-forgerytoken in Ajax, check this SO-question: jQuery Ajax calls and the Html.AntiForgeryToken()

I haven't tested this though.

Community
  • 1
  • 1
Pbirkoff
  • 4,642
  • 2
  • 20
  • 18
  • right but lets say i didn't have roles and such defined, is there anyway i could do use an anti forgery token? – aherrick Feb 24 '10 at 15:22
  • without roles, how do you know who can add users and who not? – Pbirkoff Feb 24 '10 at 15:36
  • i'm just giving an example of adding users. there is no way i can protect it so that i know it is coming from the view as a legit request? – aherrick Feb 24 '10 at 16:07
  • here's an article that might help you: http://www.sogeti-phoenix.com/Blogs/post/2009/05/MVC-ndash3b-Using-AntiForgeryToken-over-AJAX.aspx – Pbirkoff Feb 24 '10 at 16:46
  • @Pbrikoff - Seems like those links you posted are no longer valid. One of them shows the graphic depiction of childbirth... not the AntiForgeryToken information I was hoping to find. – makerofthings7 Feb 06 '11 at 20:14
1

Yes. This method can be called just like any other public controller action.

gautema
  • 634
  • 5
  • 16