保护JSON服务

Question

I have a website that heavily uses JSON calls from jQuery to web services hosted in the same web domain. Many calls are made from the public pages that don't require visitors to login.

It appears that I can replay these JSON calls using Fiddler, which is a big problem, since now a malicious user can capture a Fiddler trace just by opening my site and then, all bets are off, who knows what he/she can do.

Is there a way to secure a web service, so only those JSON calls that are made from the site's pages are allowed on the server? I am using ASP.NET MVC on the backend.

Thank you.

---

Thank you all for contributing to this topic. I have a follow up question:

What about SSL? If I placed all my services in a folder secured with SSL, would that be a catch-all solution (at the expense of performance)? Thanks.

Answer 1

The answer is No. The user can always simulate HTTP Requests made by the browser. So have to code your back end in such a way that it should be able to handle all the exceptions and malicious attempts.

1. Use nonce for all your requests. This might be tricky to implement but is the one of the most important thing that could come in my mind.

2. Track User Agent and negate all requests that come from non standard browsers.

3. Check Referrer and make sure it is coming for the expected page or atleast from the same domain

4. Include a tracking session/cookie variable to keep a track

However, all of these things can be evaded so the best bet is to make your back end system more secure to handle any user input.

Answer 2

I would suggest to authenticate each JSON service request. Ex- Passing a access_token

Each service request must be verified against the user accessing. Does he have the right to access this service/data?

Same thing should be done for guest users. Only limited services/data should be exposed to guest user.

Take inspiration from facebook API.

Answer 3

There are multiple ways to check the validness of a JSON call and each gives you multiple level of security:

• Check that the Referer HTTP-header contains the URL of your site. That gives you basic security so your calls won't be accessible for regular users through Fiddle, for example
• If the content of the JSON was generated server side, then you can sign the json content so only those calls will be accepted that you have previously generated at server side. Check out JSON Web Token (JWT) for example.
• If the JSON content was not generated at server side, you can still issue one time "tickets" that has to be present along each JSON call. You have to check the validness of the ticket at server side, and that the ticket was used only once.

Answer 4

Regarding the follow-up question:

SSL only secures the connection between the browser and your server, ie nobody can inspect the communication between the two. (A man in a middle for example who might change the content of the call along the way.) It doesn't prevent an attacker to make his own JSON calls. The difference will be that his calls are encrypted and cannot be inspected by anyone else but your server.