Thursday, August 22, 2013

MVC Json Hijacking By Phil Haack

I m not going to write the whole story or article from Phil Haack. This is just for my reference and may people out there who is doing similar kind of blunder in implementing data in JSON response array by exposing sensitive data .

Here is what one should be doing when returning JSON response array.

Add [AcceptVerbs(HttpVerbs.Post)] to make it http request return response type.

Why we need this , you have to take little bit extra time to read Phil's blog for more detailed.
[AcceptVerbs(HttpVerbs.Post)]

Cross Site Request Forgery (CSRF) attack

http://haacked.com/archive/2009/06/25/json-hijacking.aspx

 
 
jQuery + JSON Action Methods = Cool -Some MVC controller example

It is easy to return a JSON object instead of a view.
   
public JsonResult Create(string CategoryName)
{
    var category = new Models.Category();
    category.Name = CategoryName;
    category.URLName = CategoryName.ToLower().Replace(" ", "-");
    categoryRepository.Add(category);
    categoryRepository.Save();

    return Json(category);
}
 

No comments :