I have an asp.net page that is only accessible to authenticated users. On this page a user can update their password. I do this via PageMethods and pass the password as a parameter.
How secure is this password? Can it be intercepted? How much more secure is using postbacks instead of PageMethods for sensitive data?
As there is no HTTPS, this is vulnerable to a MITM attack.
Postbacks are more secure (if you are encrypting the ViewState), as this will protect you against CSRF. From Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet:
ASP.NET has an option to maintain your ViewState. The ViewState indicates the status of a page when submitted to the server. The status is defined through a hidden field placed on each page with a control. Viewstate can be used as a CSRF defense, as it is difficult for an attacker to forge a valid Viewstate. It is not impossible to forge a valid Viewstate since it is feasible that parameter values could be obtained or guessed by the attacker. However, if the current session ID is added to the ViewState, it then makes each Viewstate unique, and thus immune to CSRF. To use the ViewStateUserKey property within the Viewstate to protect against spoofed post backs. Add the following in the OnInit virtual method of the Page-derived class (This property must be set in the Page.Init event)
You can use PageMethods, but you will have to add an anti-CSRF token (for the Synchronizer Token Pattern or for Double Submit Cookies method), or you could validate that X-Requested-With or Origin is set on the request.
However, as this is a password reset form, a valid defense against CSRF would be to ask for the user's previous password which is sent in the XHR. As an attacker does not know their old password, this form cannot be abused with CSRF.
