1

Suppose I have an ASP.Net MVC site. How do I lock controller methods (perhaps with an Attribute on the Action) so that HTTP_REFERER must point to my site?

To expand:

I have many JSON actions on my Controllers that are marked [Authorize], to prevent an uncookied* user from getting in.

Someone sneaky builds an attacker webpage and emails it to a user logged-in to my site. That page includes a script that fetches from my JSON Controller action. That causes the user's browser to send a logged-in cookie to my authorized controller method, getting that user's data back to the attacker's webpage, which they can then read and pass elsewhere.

If I could just lock these requests so that HTTP_REFERER must point to my site, a cross-site attack to request the JSON would be prevented. What's the simplest way?

Note that I obviously don't want to lock all requests, JSON, Authorized, or no - people still need to be able to link to the site. But no Authorized JSON request should ever be accessible from anything but pages on our site.

*Yes I made this word up.

Chris Moschini
  • 36,764
  • 19
  • 160
  • 190
  • 3
    Are you asking for the anti-forgery token? http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/ – Craig Stuntz Jan 26 '12 at 21:36
  • I wasn't, but I also wasn't aware that Flash can be hacked to spoof the REFERER. How cruel. Thanks for the link. I'd still be interested in how to lock the referer easily though (it just seems like something someone out there would already have written). – Chris Moschini Jan 27 '12 at 00:27
  • The author of the article you linked to states, referring specifically to checking 'HTTP-REFERER' (in the comments), "Any solution that requires checking headers etc... is still vulnerable because you're allowing the browser to cache this sensitive data." Good question though. – Brent Anderson Jan 27 '12 at 02:37
  • 1
    While it is possible to spoof referer, that doesn't mean you shouldn't make XSS as difficult as possible. Using [HttpPost] *should* help because ASP should block cross-site posts for you. Otherwise you can look at the Access-Control-Allow-Origin http header (http://stackoverflow.com/questions/6290053/setting-access-control-allow-origin-in-asp-net-mvc-simplest-possible-method). – Doug Lampe Feb 27 '12 at 03:34

0 Answers0