ASP.NET MVC 2 - Failed with jquery ajax response

Question

I do not understand this error, do not generate error in "JsonResult Test ()", I am doing other projects as ASP.NET MVC

Thanks

Error:

System.InvalidOperationException: This request has been blocked because sensitive information could be disclosed to third party web sites when this is used in a GET request. To allow GET requests, set JsonRequestBehavior to AllowGet.

[InvalidOperationException: This request has been blocked because sensitive information could be disclosed to third party web sites when this is used in a GET request. To allow GET requests, set JsonRequestBehavior to AllowGet.]
   System.Web.Mvc.JsonResult.ExecuteResult(ControllerContext context) +263733
   System.Web.Mvc.ControllerActionInvoker.InvokeActionResult(ControllerContext controllerContext, ActionResult actionResult) +10
   System.Web.Mvc.<>c__DisplayClass14.<InvokeActionResultWithFilters>b__11() +20
   System.Web.Mvc.ControllerActionInvoker.InvokeActionResultFilter(IResultFilter filter, ResultExecutingContext preContext, Func`1 continuation) +251
   System.Web.Mvc.<>c__DisplayClass16.<InvokeActionResultWithFilters>b__13() +19
   System.Web.Mvc.ControllerActionInvoker.InvokeActionResultWithFilters(ControllerContext controllerContext, IList`1 filters, ActionResult actionResult) +178
   System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName) +314
   System.Web.Mvc.Controller.ExecuteCore() +105
   System.Web.Mvc.ControllerBase.Execute(RequestContext requestContext) +39
   System.Web.Mvc.ControllerBase.System.Web.Mvc.IController.Execute(RequestContext requestContext) +7
   System.Web.Mvc.<>c__DisplayClass8.<BeginProcessRequest>b__4() +34
   System.Web.Mvc.Async.<>c__DisplayClass1.<MakeVoidDelegate>b__0() +21
   System.Web.Mvc.Async.<>c__DisplayClass8`1.<BeginSynchronous>b__7(IAsyncResult _) +12
   System.Web.Mvc.Async.WrappedAsyncResult`1.End() +59
   System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +44
   System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +7
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +8678910
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +155

c#

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Mvc;

namespace Tesis.Controllers
{
    public class AnalysisSourceDataController : Controller
    {
        //
        // GET: /AnalysisSourceData/

        public ActionResult Index()
        {
            return View();
        }

        public JsonResult Test()
        {
            return Json(new { mymsg = "my msg" });
        }
    }
}

javascript

<script type="text/javascript">
    $(function() {
        $.getJSON("/AnalysisSourceData/Test", function(data) {
            alert(data.mymsg);
        });
    });
</script>

score 67 · Accepted Answer · answered Feb 28 '10 at 12:00

67

what don't you understand? The error could hardly be more descriptive. It's a security feature to prevent JSON hijacking, you can disable it like this..

 return Json(new { mymsg = "my msg" }, JsonRequestBehavior.AllowGet);

but you should understand the implications.

answered Feb 28 '10 at 12:00

Paul Creasey

28,321
10
54
90

I do not understand that other projects I did not need this parameter. – andres descalzo Feb 28 '10 at 12:04
6

This was a feature added with ASP.NET MVC2 in MVCv1 projects you didn't need to add it. Adding the feature just makes people stop and think what they're doing before exposing JSON data over GET (which has some perfectly valid applications). – John Foster Feb 28 '10 at 13:03
Thank you, I miss seeing the documentation – andres descalzo Feb 28 '10 at 13:21
2

There is absolutely no concern about "exposing" json over get. This was a very poor choice by the MVC team. This is nothing but security by obscurity, which as we all know is nothing. – Chris Marisic Aug 30 '11 at 14:14
1

I can't really comment on how much of a concern it is, though the article is an interesting read, however is isn't security by obscurity, where is the obscurity? I don't see how it is a very poor choice, raising awareness, even about a minor issue is a good idea, and upgrade issue can be resolved extremely easily. – Paul Creasey Aug 30 '11 at 16:57
@ChrisMarisic What you've said makes no sense. This is not security by obscurity. There is a vulnerability in which __defineSetter__ can be overridden for arrays and objects, and requests can be made on the users behalf. Security by obscurity implies they obfuscated a flaw, which is pretty clearly not the case. The MVC team has prevented you from being vulnerable to this flaw unless you explicitly pass a parameter to say "Yes I really want to do this I know what I'm doing". – dreadwail Sep 24 '11 at 03:33
@byte "There is a vulnerability in which defineSetter", if some has executed this attack, they've clearly already been hijacked with XSS. If a website & it's user(s) have been compromised by XSS you act like the javascript can't just do a post? – Chris Marisic Sep 26 '11 at 14:32
@chris, since the attacks relies the json being loaded via a script tag, it has to be GET, not POST. Hence the opt in for GET. – Paul Creasey Sep 26 '11 at 19:10
@PaulCreasey you're missing the fact they're already been compromised, if they've succeeded in getting malicious javascript into the client why exactly would they need to use a limited attack? They could just do **anything** they wanted. – Chris Marisic Sep 26 '11 at 19:36
@Chris, care to provide an example of request forgery that uses POST? – Paul Creasey Sep 27 '11 at 00:46
@PaulCreasey $.ajax({type: 'POST' except it's not a "forgery" it would be entirely "legitimate", just unknowing to the user. – Chris Marisic Sep 27 '11 at 12:21
@chris, yes except that cross domain ajax is not allowed, unless of course the server is responding with `Access-Control-Allow-Origin:*` but then there are whole load of other considerations. The only ways of doing request forgery are with special get requests, such as in `img` tags, `style` tags and `script` tags. Of these only the `script` type coupled with json can expose the threat of stealing data, making this precaution valid. – Paul Creasey Sep 27 '11 at 14:38

ASP.NET MVC 2 - Failed with jquery ajax response

1 Answers1

Linked