Are JSON web services vulnerable to CSRF attacks?

89
votes

I am building a web service that exclusively uses JSON for its request and response content (i.e., no form encoded payloads).

Is a web service vulnerable to CSRF attack if the following are true?

  1. Any POST request without a top-level JSON object, e.g., {"foo":"bar"}, will be rejected with a 400. For example, a POST request with the content 42 would be thus rejected.

  2. Any POST request with a content-type other than application/json will be rejected with a 400. For example, a POST request with content-type application/x-www-form-urlencoded would be thus rejected.

  3. All GET requests will be Safe, and thus not modify any server-side data.

  4. Clients are authenticated via a session cookie, which the web service gives them after they provide a correct username/password pair via a POST with JSON data, e.g. {"username":"[email protected]", "password":"my password"}.

Ancillary question: Are PUT and DELETE requests ever vulnerable to CSRF? I ask because it seems that most (all?) browsers disallow these methods in HTML forms.

EDIT: Added item #4.

EDIT: Lots of good comments and answers so far, but no one has offered a specific CSRF attack to which this web service is vulnerable.

5
httpsecuritycsrf
tokenize your requests via session&cookie paired values, sanitize whatever directives you are triggering via the the submitted JSON, add salt for extra flavorBrandt Solovij
I don't think there's enough info here to provide a good answer. What method of authentication are you using? Who are the intended consumers of the web service (ie, users of a site on the same host as your service?)McGarnagle
All your current validations are perfectly sensible and do limit your attack-surface, but they don't actually address anything to do with what the CSRF vulnerability is.Cheekysoft
See security.stackexchange.com/questions/10227/csrf-with-json-posteskatos
@DavidBalažic What vector? If you're talking about AJAX, same-origin policies will prevent that.djsmith

5 Answers

78
votes

Forging arbitrary CSRF requests with arbitrary media types is effectively only possible with XHR, because a form’s method is limited to GET and POST and a form’s POST message body is also limited to the three formats application/x-www-form-urlencoded, multipart/form-data, and text/plain. However, with the form data encoding text/plain it is still possible to forge requests containing valid JSON data.

So the only threat comes from XHR-based CSRF attacks. And those will only be successful if they are from the same origin, so basically from your own site somehow (e. g. XSS). Be careful not to mistake disabling CORS (i.e. not setting Access-Control-Allow-Origin: *) as a protection. CORS simply prevents clients from reading the response. The whole request is still sent and processed by the server.

3
votes

Yes, it is possible. You can setup an attacker server which will send back a 307 redirect to the target server to the victim machine. You need to use flash to send the POST instead of using Form.

Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1436241

It also works on Chrome.

1
votes

It is possible to do CSRF on JSON based Restful services using Ajax. I tested this on an application (using both Chrome and Firefox). You have to change the contentType to text/plain and the dataType to JSON in order to avaoid a preflight request. Then you can send the request, but in order to send sessiondata, you need to set the withCredentials flag in your ajax request. I discuss this in more detail here (references are included):

http://wsecblog.blogspot.be/2016/03/csrf-with-json-post-via-ajax.html

-1
votes

I have some doubts concerning point 3. Although it can be considered safe as it does not alter the data on the server side, the data can still be read, and the risk is that they can be stolen.

http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx/

-7
votes

Is a web service vulnerable to CSRF attack if the following are true?

Yes. It's still HTTP.

Are PUT and DELETE requests ever vulnerable to CSRF?

Yes

it seems that most (all?) browsers disallow these methods in HTML forms

Do you think that a browser is the only way to make an HTTP request?