Are JSON web services vulnerable to CSRF attacks?

by

Forging arbitrary CSRF requests with arbitrary media types is effectively only possible with XHR, because a form’s method is limited to GET and POST and a form’s POST message body is also limited to the three formats application/x-www-form-urlencoded, multipart/form-data, and text/plain. However, with the form data encoding text/plain it is still possible to forge requests containing valid JSON data.

So the only threat comes from XHR-based CSRF attacks. And those will only be successful if they are from the same origin, so basically from your own site somehow (e. g. XSS). Be careful not to mistake disabling CORS (i.e. not setting Access-Control-Allow-Origin: *) as a protection. CORS simply prevents clients from reading the response. The whole request is still sent and processed by the server.

More Related Contents:

  1. Why is it common to put CSRF prevention tokens in cookies?
  2. Cross Domain Form POSTing
  3. Why am I suddenly getting a “Blocked loading mixed active content” issue in Firefox?
  4. How to send password securely over HTTP?
  5. Why is an OPTIONS request sent and can I disable it?
  6. Are HTTP cookies port specific?
  7. Uses of content-disposition in an HTTP response header
  8. How to set HTTP headers (for cache-control)?
  9. Where to store JWT in browser? How to protect against CSRF?
  10. What’s the difference between a POST and a PUT HTTP REQUEST?
  11. How to detect server-side whether cookies are disabled
  12. HTTP status code for update and delete?
  13. Easy HTTP requests with gzip/deflate compression
  14. PHP_SELF vs PATH_INFO vs SCRIPT_NAME vs REQUEST_URI
  15. Why does my web server software disallow PUT and DELETE requests?
  16. Send request to cURL with post data sourced from a file
  17. Is a slash (“/”) equivalent to an encoded slash (“%2F”) in the path portion of an HTTP URL
  18. Whats Content-Type value within a HTTP-Request when uploading content?
  19. Save cookies between two curl requests
  20. CSRF protection: do we have to generate a token for every form?
  21. How do I allow a PUT file request on Nginx server?
  22. How to redirect all HTTP requests to HTTPS using .htaccess rules?
  23. Go client program generates a lot a sockets in TIME_WAIT state
  24. CURL Command Line URL Parameters
  25. Is REST DELETE really idempotent?
  26. Difference between CSRF and X-CSRF-Token
  27. Is an HTTP PUT request required to include a body?
  28. http download file name
  29. how can an application use port 80/HTTP without conflicting with browsers?
  30. How does url rewrite works?

Leave a Comment