stackoom
  简体   繁体   中英

How can myWebservice.asmx (being called from myJavascript.js), only be callable from my website and not XSS?

 原文  2011-01-02 22:56:06       javascript/ asp.net/ web-services/ security/ xss

Question

Is there any best practices techniques that would greatly improve the security of the asp.net application, when Javascript is directly submitting data from the html/form to the asp.net/c# webservice like this:

HTML: 

<input type="text" id="txtData" />

<input type="button" onclick="SendData()" />

JAVASCRIPT: 

function SendData()
{
    var userData = document.getElementById('txtData').value;

    MyWebservice.DoSomething(userData, SendData_Result);
}

function SendData_Result(result)
{
    //handle output displayed to user from 'result'
}

Webservice/ASMX: 

[WebService(Namespace = "http://tempuri.org/")]
[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
[ScriptService]
public class MyWebservice : System.Web.Services.WebService
{
    public MyWebservice() { }

    [WebMethod]
    public string DoSomething(string userInputGoesHere)
    {
        //how to make sure the user input is valid?
    }
}

For example, if www.SomeBadGuysSite.com sends XSS via either referencing and manipulating the javascript on my site, OR they directly reference the webservice itself... - how can I try to enforce that the input came from my website and not from the bad guy's website or PC?
- and I'm not concerned about what data is in the textbox, only to attempt to make sure the only time the webservice can be called is from my html/forms page.

Note: I am using Forms Authentication and only authenticated users can access any pages or webservices. However, if a bad guy is authenticated on my website, but runs his own malicious code from his website or PC, wouldnt my site think he is already authenticated anyway and allow him to submit data to the webservice?

I'm wondering if encrypted cookies could play any part in fixing this security problem? (and for reasons not worth getting into, using Sessions/SessionState is not an option for me)

1 answers

solution1
 0  2011-01-03 05:12:39

From Building Secure Web Services :

Web services that provide sensitive or restricted information should authenticate and authorize their callers. Weak authentication and authorization can be exploited to gain unauthorized access to sensitive information and operations.

The Authentication section should give you some ideas.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How protect my ajax from XSS vulnerability (NODE.JS) my first casper.js script being called from python How to keep my node js endpoints safe and to be accessible only from my website? Can't reproduce XSS on my website? How to prevent XSS vulnerability from being introduced when using .val()? How to find where the function is being called from on node.js? Function from external JS file not being called get a html element from another website (XSS) How can I make my Django API only accept requests that come from my website itself? How can I make a back button appear only if the user navigated to the page from my website?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM